New HIPAA Rule Alters Breach Definition
Posted On: October 10th, 2013
Former Vice President, Product Marketing and Strategy, McKesson (Retired)
Always encrypting your data is your first line of defense in case of a breach, according to Mark Eich, partner in the Information Security Group at CliftonLarsonAllen.
Eich and Juli Ochs, CPA, engagement director in the firm’s health care group, led a recent webinar on new HIPAA rules and enforcement trends. Eich says the Omnibus final rule, with a compliance date of Sept. 23, 2013, is anticipated to bring more oversight and auditing of HIPAA compliance.
The Office of Civil Rights, part of the Department of Health and Human Services, is charged with conducting audits and has an incentive to collect penalties because those penalties fund the effort. Of the 20 audits OCR conducted in 2012, two-thirds of the breaches discovered were security-related. With that in mind, Eich reminds organizations to:
- Review users to ensure they are current employees, are authorized users and have the correct access rights
- Examine your information systems frequently to uncover any vulnerabilities
- Verify that your access controls are designed to mitigate unaccepted risks
Something as simple as a copy machine, which can store scanned health documentation in its memory, can be the source of a costly breach.
The definition of a breach formerly applied a “risk of harm” threshold, but the final rule broadened that definition to any acquisition, access, use or disclosure of protected health information in an unauthorized manner.
Broadly stated, three exceptions to breach notification are:
- Unintentional acquisition, access or use of PHI by an employee or agent of a covered entity or business associate if it was made in good faith
- Inadvertent disclosure by a person authorized to access PHI to another authorized person that will not be further used or disclosed in an impermissible manner
- Good faith belief that the disclosure was not retained by an authorized person
Any disclosure that does not meet any one of the exceptions is considered a breach unless the data was rendered “unusable, unreadable, or indecipherable” through such means as encryption.
To safeguard your organization against a breach, Eich and Ochs advise companies to encrypt data and implement a “bring-your-own” device policy; review and update business associate agreements to ensure compliance with the new rules; review and revise your breach notification and privacy policies; and educate your staff on the new rules.
HIPAA compliance can be risky business, so it’s always a good idea to consult with legal counsel to make sure your home care agency’s practices and policies concerning breaches satisfy HIPAA requirements.