Breaches and the HIPAA/HITECH Omnibus Deadline

Healthcare IT Security

May 1, 2017
hipaa hitech breaches in healthcare|

90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law. While healthcare facility managers must make sure that these listed requirements are met, they should also be concentrating on how the newest wrinkle in HIPAA will drastically affect their organizations in years to come. This, of course, is the new definition of “breach.”

How HIPAA reacted before the Omnibus

hipaa hitech omnibus

Before the Omnibus and faced with a PHI security incident, compliance officers performing a risk assessment had a relatively straightforward question to ask themselves when determining if the incident rose to the level of a data breach. If the incident was unlikely to cause major financial or reputational harm to the patient whose data had been compromised, HIPAA said that no breach had occurred. No breach, no breach notification measures necessary.

Sensing a level of abuse here, HHS greatly departed from the old standard by issuing a new breach definition in the Omnibus. Now, facilities faced with a security incident must assume it is a breach unless, through a risk assessment, it can be shown that there is a “low probability that the PHI has been compromised.” In effect, HHS changed the rebuttable presumption from no breach to breach. Think guilty until proven innocent.

Getting Rid of HIPAA Breach with More Secure Channels for Messaging

This new definition goes into effect in September. What it also means is that if you are a healthcare facility and are currently allowing providers to exchange PHI through unsecured channels, each and every such transmission will now be presumed a HIPAA breach unless you can prove otherwise. Think about that for a minute. Given that the average provider uses more than five mobile devices, a simple bar napkin calculation will show that most facilities are about to be subject to a tidal wave of potential risk. If you haven’t addressed your mobile risks yet, you should do so immediately – because the stakes are about to get much higher.

The Author
Krishna Kurapati

Krishna Kurapati is the Founder and CEO of QliqSOFT. He has more than two decades of technology entrepreneurship experience. Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges using artificial intelligence (AI)-powered digital technologies across the U.S. healthcare system.

Related Content

Customer Success Story:

No items found.
Related Story:


Want our blogs in your inbox?
Subscribe for more!

Thank you!
Oops! Something went wrong while submitting the form.