Key Take-Aways of the New HIPAA Omnibus Rule

Published: July 23, 2013 by ofonseca

The number of medical data breaches continues to escalate, and so, it seems, do the consequences for experiencing one. Medical data breaches accounted for more than a third (34.5 percent) of all data breaches that occurred in 2012, according to the Identity Theft Resource Center.

Whether a large corporate hospital or a local dental office, health care providers who experience a data breach are at risk of running afoul of some hard-hitting consumer protection laws, including the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA Omnibus Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

These laws set expectations for what health care providers must do to protect patient privacy and data, and provide penalties for violations of the rules.

The HIPAA Omnibus Rule has particular significance for organizations concerned with data breach protection. Recognizing the growing problem of medical identity theft and its intrinsic link with medical data breaches, federal authorities have tightened HIPAA privacy and security protection requirements, and breach notification requirements. These measures have brought HIPAA more in line with HITECH, which was a sweeping piece of legislation aimed at enhancing patient privacy and protection.

The Omnibus Rule took effect on March 26, 2013, and all HIPAA-covered entities must comply with the updated rules by Sept. 23, 2013. Some of the most significant provisions of the law that are specific to data breaches include:

  • The rule now presumes any impermissible use or disclosure of information protected under HIPAA’s privacy provisions qualifies as a breach, unless the breached organization can demonstrate that it’s unlikely the breach has compromised the information.
  • Even if the data improperly accessed did not include birth dates and ZIP codes, it is still considered a breach of protected information, unless the organization demonstrates that it’s unlikely the breach has compromised the data.
  • HIPAA-covered entities must still notify both the Secretary of Health and affected consumers of all data breaches that affect fewer than 500 people, but now have until 60 days after the end of the calendar year in which the breach was discovered, rather than the year in which it occurred.

Compliance with these new provisions of privacy and security laws should be a part of every health care company’s data breach resolution plan. Having such a plan in place can help mitigate the damages associated with a data breach – including the legal ramifications of running afoul of privacy laws.

Reference links:

2012 Medical Data Breach statistics from the Identity Theft Resource Center, www.idtheftcenter.org

HIPAA Omnibus Rule information from the Federal Register.

*The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.