Perspectives Newsletter

Summer 2013

Articles In This Issue

Have you had a data breach?

If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at databreachinfo@experian.com or call 1 866 751 1323.

With HIPAA Deadline Looming, There’s Not a Minute to Spare

If you work in the healthcare industry, you are undoubtedly familiar with the final HIPAA Omnibus Rule. But if your organization had a data breach on September 24th, would you be able to comply with all of the new regulations? September 24th is crucial because the deadline for compliance is September 23, 2013.

The regulations became effective in March but the U.S. Department of Health and Human Services (HHS), which enforces them, is giving organizations until September to comply. Given the complexity of the regulations, organizations should consult with their legal counsel to assure that they are in compliance.

The new regulations consist of many changes, but the most important, perhaps, is how a healthcare breach is now defined. The new definition is broader, meaning more incidents will be classified as breaches. And with more breaches being reported, organizations will need to be more prepared to handle them.

Incident Response Plans Play Bigger Role

One of the best defenses is to employ a strong IT security posture to try to prevent a breach. But with so much data changing hands constantly, breaches are often unpreventable. If this is the case, then having an up-to-date incident response plan is the way to go.

An accurate response plan is like having a GPS system in the middle of a fierce storm. It tells you exactly what to do and how to do it, at a time when many people aren’t thinking straight. And one of the most important aspects of the plan is your response team. These are the folks who will help you comply with the new regulations.

The new regulations – designed to give patients more security and privacy – include new risk assessment guidelines, business associate requirements, a new timeline for reporting the breach and other  changes.

New Risk Assessment Guidelines

Organizations will use the new assessment guidelines to determine whether an incident should be reported as a breach. The new guidelines replace the “harm standard” from 2009. At that time, organizations had to assess whether a significant risk of “harm” would be caused to individuals whose Protected Health Information (PHI) was exposed. This determined whether an incident qualified as a breach.

Now, organizations have to determine the probability of the PHI being compromised, regardless of whether it would cause harm to the affected individuals. So if an organization finds that there’s a high probability that the PHI will be exposed to danger, then the incident would be considered a breach even if nobody would be harmed. In order to make this determination, organizations must follow the new assessment guidelines, which need to answer the following questions:

  • What was the nature and extent of the PHI involved (including the types of identifiers and likelihood of re-identification)?
  • Was the PHI actually acquired or viewed by an unauthorized person?  If so, who is this person?
  • To what extent has the risk to the PHI been mitigated?

Business Associates Face Tougher Regulations

Another major change involves business associates and their subcontractors. Both will now be directly liable if they violate the regulations and will face the same fines and penalties as healthcare organizations and other covered entities. Business associate agreements are still required between healthcare organizations and business associates. But now they are also required between business associates and subcontractors. (See sidebar below)

Stiffer Fines on the Horizon 

Other changes include reporting the breach to HHS at the same time as an organization notifies its clients or patients that their PHI has been exposed. And the fines for repeat offenders have been increased substantially. Those who violate the regulations more than once can face a fine of up to $1.5 million.1

So don’t let a healthcare breach catch you off guard. Make sure you have strong IT security systems and your incident response plan is comprehensive, up-to-date and has been tested throughout your organization.

 

For more information on incident response plans, download our updated Data Breach Response Guide, which has the latest information on the HIPAA Omnibus Rule.  Learn More Here

 

1 U.S. Department of Health and Human Services, Federal Register, January 25, 2013

  • © 2014 Experian Information Solutions, Inc. All rights reserved.