Articles In This Issue

Have you had a data breach?

If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at or call 1 866 751 1323.

Time to Get Wise to the HIPAA Omnibus Rule

The clock is ticking for HIPAA Omnibus Rule compliance. Organizations have until September 23, 2013 – just five months from now – to comply with new business associate (BA) requirements, new risk assessment guidelines and more. There’s something new for everyone, including a new fine structure that makes violations, and especially repeat violations, more costly than ever.

Easy-does-it fines are finished
Under the new rule, first-time violations will still come at a cost of up to $50,000 per violation per year. What’s changed is that the lower tier of fines for repeat violations is gone; they could now result in a whopping $1.5 million fine.  

Clearly healthcare organizations and BAs, no matter how big or small, need to emphasize data security and breach preparedness in order to help avoid these devastating penalties. With fines being based on the size, severity and handling of an incident, even a small company could be hit with a big fine, potentially bankrupting an organization.

BAs are responsible
With the new omnibus rule, the Department of Health and Human Services (HHS) makes BAs liable under the Security Rule and various provisions of the Privacy Rule. What’s more, if a BA hires a subcontractor to handle, manage or otherwise access protected health information (PHI), including medical record numbers and Social Security numbers, a business associate agreement (BAA) is required.

This comes at a time when 65 percent of companies are experiencing a data breach at a vendor within 24 months of outsourcing data, according to the Ponemon Institute’s recent Securing Outsourced Customer Data Study. For 54 percent of companies, it happens an astounding two to 10 times within two years.1

The new requirements should result in greater accountability and increased data security at all levels of companies handling PHI. Ultimately, that’s great news for patients and for the covered entities who want to retain their business and trust.

Risk assessments are more stringent
No matter what type of entity experiences data loss, there are new guidelines for determining if the incident is a healthcare breach. The 2009 Interim Final Rule required organizations to assess the risk of harm that the data loss posed to affected individuals; the guideline turned out to have too many gray areas.

Now organizations must conduct a documented risk assessment that answers:

  1. What’s the nature and extent of PHI involved (include types of identifiers and the likelihood of re-identification)?
  2. Who is the unauthorized person or party who used the PHI or to whom was the disclosure made?
  3. Was PHI actually acquired or viewed?
  4. To what extent has the risk to PHI been mitigated?

It’s no longer the risk to affected individuals that qualifies an incident but the probability of compromise of the data that was lost. Essentially, under the new rule, a greater number of incidents may now qualify as a breach.

The omnibus rule further clarifies a few gray areas regarding breach notifications, specifically:

  • A press release on a covered entity’s website does not fulfill the media notification requirement; a press release to media outlets located where affected individuals reside does.
  • Reporting a breach involving 500 or more individuals “immediately” to HHS means at the same time an organization notifies those affected.

The complexities of the omnibus rule are vast, so be sure you’re working ahead of the clock to be in compliance by September 23.

For more on the HIPAA Omnibus Rule, please visit

1Securing Outsourced Consumer Data, Ponemon Institute (February 2013)

Legal Notice
The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.

Experian and the Experian marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.