HIPAA Omnibus: Breach Notification Tips
Experts Outline Six Critical Steps
Under the final breach notification rule that's included in the new HIPAA Omnibus Rule, which takes effect March 26, many covered entities and business associates will need to modify how they assess whether to report a breach.
See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM
To prepare for compliance, organizations must take six critical steps, experts say. Those include: Understand the new guidance about how to assess whether breach notification is required; modify breach assessment processes to incorporate the new standard; know when to implement the new assessment approach; document those assessments; train staff on the new assessment standard; and ensure that business associates are taking appropriate steps.
1. Understand Modified Standard
The interim final breach notification rule, in effect since September 2009, contains a "harm standard," under which organizations were required to assess whether an incident was likely to result in financial, reputational or other harm to an individual, and thus, merited reporting.
Under the HIPAA Omnibus Rule, this harm standard is replaced by more objective guidance on breach notification.
As a result of the new guidance, breach incidents must be reported unless the risk of compromise is low, says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology.
Susan McAndrew, deputy director of the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, explains: "What we ask the entity to consider is: Is it likely that the breach will result in the information itself, the data that was lost, being compromised in some way?"
2. Modify Assessments
Under the HIPAA Omnibus Rule, organizations now must consider four factors in assessing breaches:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Under the old "harm standard," how organizations weighed whether risks should be reported was inconsistent, McAndrew notes.
"There was a lot of comment that we received that it was difficult for covered entities really to assess individual-by-individual what kind of risk was being posed - that some individuals may be more vulnerable than others," she says. "Particularly in things like reputational harm, it was very difficult for them to know, and it was considered to be too subjective."
Under the new rule's more objective guidance, once an organization considers the four factors listed, as well as any other relevant factors, it must report a breach "unless it can say through an analysis of these factors that there's only a low probability that protected health information that was lost will be compromised as a result of that loss," McAndrew says.
3. Know When to Implement
While the new breach notification rule takes effect on March 26, the compliance date for HIPAA Omnibus is Sept. 23. That means organizations have a six-month grace period to get in place their modified processes and procedures for assessing breaches under the new standard.
For breaches that occur between now and the compliance deadline of September 23, OCR will investigate the incidents based on what breach notification standard the organization chose to apply, McAndrew says.
"If they went ahead and implemented the change from the harm standard to the new standard, then we would investigate that breach under whatever standard they used," she says. "If they were still using the standard in the interim final rule, we would not say that they were out of compliance simply because they were not using the more objective standard."
Kate Borten, president of security consultancy The Marblehead Group, suggests that organizations begin using the new, more objective notification standard well before the compliance deadline of Sept. 23. She emphasizes that the four objectives factors to be weighed already were spelled out in the interim final rule's preamble and should've also been considered in breach assessment all along.
4. Document Assessments
McGraw, the privacy advocate, says that when evaluating an incident using the four factors, it's critical to document how each question was considered.
"There's no such thing as over-documentation," she says. OCR could end up investigating the case several years after it occurred, she points out.
And if that happens, organizations don't want to depend on foggy memories to defend breach notification decisions made years ago, McGraw stresses.
5. Train Staff
"Whoever is involved with risk analysis of breaches should be trained on the updated rule and be ready to follow any changes in the procedures used for determining breach notification," says Mac McMillan, CEO of security consulting firm CynergisTek.
Under the old harm standard, because it was often "impossible to prove harm was done," many organizations "assumed the best rather than the worst" to avoid notification, McMillan notes. But the new rule, thankfully, "is much less ambiguous," he adds.
Borten suggests organizations cut and paste portions of the HIPAA Omnibus breach notification rule, and the interim final rule preamble, along with the incident examples that OCR provides, into their assessment procedure manuals for easy referral by staff.
Staff also should be encouraged to report suspected breaches to their managers or compliance departments for investigation, she says. "That's the only way to build a security conscious workforce."
6: Check with Business Associates
Finally, it's also important for hospitals and others to make sure that business associates and their subcontractors realize that under HIPAA Omnibus, their new direct liability for HIPAA compliance includes notifying covered entities about breaches.
The HIPAA Omnibus Rule states that for breaches involving a subcontractor, that company is responsible for notifying the business associate, who is then responsible for notifying the covered entity. The covered entity is responsible for notifying affected individuals, HHS, and, for major breaches, the news media.
For more advice on HIPAA Omnibus Rule compliance, see: HIPAA Omnibus: 4 Timely Compliance Tips.