If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at firstname.lastname@example.org or call 1 866 751 1323.
If you work in the healthcare industry, you are undoubtedly familiar with the final HIPAA Omnibus Rule. But if your organization had a data breach on September 24th, would you be able to comply with all of the new regulations? September 24th is crucial because the deadline for compliance is September 23, 2013.
The regulations became effective in March but the U.S. Department of Health and Human Services (HHS), which enforces them, is giving organizations until September to comply. Given the complexity of the regulations, organizations should consult with their legal counsel to assure that they are in compliance.
The new regulations consist of many changes, but the most important, perhaps, is how a healthcare breach is now defined. The new definition is broader, meaning more incidents will be classified as breaches. And with more breaches being reported, organizations will need to be more prepared to handle them.
One of the best defenses is to employ a strong IT security posture to try to prevent a breach. But with so much data changing hands constantly, breaches are often unpreventable. If this is the case, then having an up-to-date incident response plan is the way to go.
An accurate response plan is like having a GPS system in the middle of a fierce storm. It tells you exactly what to do and how to do it, at a time when many people aren’t thinking straight. And one of the most important aspects of the plan is your response team. These are the folks who will help you comply with the new regulations.
The new regulations – designed to give patients more security and privacy – include new risk assessment guidelines, business associate requirements, a new timeline for reporting the breach and other changes.
Organizations will use the new assessment guidelines to determine whether an incident should be reported as a breach. The new guidelines replace the “harm standard” from 2009. At that time, organizations had to assess whether a significant risk of “harm” would be caused to individuals whose Protected Health Information (PHI) was exposed. This determined whether an incident qualified as a breach.
Now, organizations have to determine the probability of the PHI being compromised, regardless of whether it would cause harm to the affected individuals. So if an organization finds that there’s a high probability that the PHI will be exposed to danger, then the incident would be considered a breach even if nobody would be harmed. In order to make this determination, organizations must follow the new assessment guidelines, which need to answer the following questions:
Another major change involves business associates and their subcontractors. Both will now be directly liable if they violate the regulations and will face the same fines and penalties as healthcare organizations and other covered entities. Business associate agreements are still required between healthcare organizations and business associates. But now they are also required between business associates and subcontractors. (See sidebar below)
Other changes include reporting the breach to HHS at the same time as an organization notifies its clients or patients that their PHI has been exposed. And the fines for repeat offenders have been increased substantially. Those who violate the regulations more than once can face a fine of up to $1.5 million.1
So don’t let a healthcare breach catch you off guard. Make sure you have strong IT security systems and your incident response plan is comprehensive, up-to-date and has been tested throughout your organization.
For more information on incident response plans, download our updated Data Breach Response Guide, which has the latest information on the HIPAA Omnibus Rule. Learn More Here
1 U.S. Department of Health and Human Services, Federal Register, January 25, 2013