One week. That’s all that remains between now and September 23rd, the date at which the HIPAA Omnibus regulations go into effect. Covered entities under the law should have already completed most of the long-term compliance work under regulations – e.g., updating their Business Associate Agreements, revising their Notices of Privacy. Practices, completing a detailed risk assessment – but the biggest change that goes into effect in seven days is the shift in a presumption in what constitutes a breach.
In many ways, we’re coming off what seemed to be the summer of the data breach. A large number of breaches was reported from both covered entities and business associates, and the wave of reported breaches was punctuated by the second biggest ever in healthcare with Advocate. However, despite the increasing number and magnitude of these breaches, these were reported to HHS under a very conservative standard. On September 23 this radically changes.
Under the current standard, whenever a covered entity or a business associate learns of a security incident, the law allows the entity to presume that a data breach did not occur unless the data compromised presents a significant risk of financial or reputational harm. So let’s say one of your healthcare providers loses his phone. Despite the fact that he was text messaging other providers regarding a patient, the trace amount of PHI and the lack of things like social security numbers probably will allow you to hide under this presumption and designate the event as a security incident and not a data breach. Over the last few years, thousands of providers did just that.
Under the Omnibus standard, this event would most definitely be a data breach. That is because the Omnibus requires covered entities to presume a data breach occurred unless, through a risk assessment, they can demonstrate that it was unlikely that the data in question was compromised. We’ve talked about this before, but presumptions are everything in the legal world. It’s a staggering difference - think “innocent until proven guilty” and “guilty until proven innocent.”
Combined with the looming HIPAA Audit Program, this presumption change presents a major compliance risk to covered entities and business associates alike. Account for your possible PHI weak points now to avoid being in the unenviable position of having to prove your innocence months down the road.