90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law. While healthcare facility managers must make sure that these listed requirements are met, they should also be concentrating on how the newest wrinkle in HIPAA will drastically affect their organizations in years to come. This, of course, is the new definition of “breach.”
Before the Omnibus and faced with a PHI security incident, compliance officers performing a risk assessment had a relatively straightforward question to ask themselves when determining if the incident rose to the level of a data breach. If the incident was unlikely to cause major financial or reputational harm to the patient whose data had been compromised, HIPAA said that no breach had occurred. No breach, no breach notification measures necessary.
Sensing a level of abuse here, HHS greatly departed from the old standard by issuing a new breach definition in the Omnibus. Now, facilities faced with a security incident must assume it is a breach unless, through a risk assessment, it can be shown that there is a “low probability that the PHI has been compromised.” In effect, HHS changed the rebuttable presumption from no breach to breach. Think guilty until proven innocent.
This new definition goes into effect in September. What it also means is that if you are a healthcare facility and are currently allowing providers to exchange PHI through unsecured channels, each and every such transmission will now be presumed a HIPAA breach unless you can prove otherwise. Think about that for a minute. Given that the average provider uses more than five mobile devices, a simple bar napkin calculation will show that most facilities are about to be subject to a tidal wave of potential risk. If you haven’t addressed your mobile risks yet, you should do so immediately – because the stakes are about to get much higher.