90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law. While healthcare facility managers must make sure that these listed requirements are met, they should also be concentrating on how the newest wrinkle in HIPAA will drastically affect their organizations in years to come. This, of course, is the new definition of “breach.”
Before the Omnibus and faced with a PHI security incident, compliance officers performing a risk assessment had a relatively straightforward question to ask themselves when determining if the incident rose to the level of a data breach. If the incident was unlikely to cause major financial or reputational harm to the patient whose data had been compromised, HIPAA said that no breach had occurred. No breach, no breach notification measures necessary.
Sensing a level of abuse here, HHS greatly departed from the old standard by issuing a new breach definition in the Omnibus. Now, facilities faced with a security incident must assume it is a breach unless, through a risk assessment, it can be shown that there is a “low probability that the PHI has been compromised.” In effect, HHS changed the rebuttable presumption from no breach to breach. Think guilty until proven innocent.
This new definition goes into effect in September. What it also means is that if you are a healthcare facility and are currently allowing providers to exchange PHI through unsecured channels, each and every such transmission will now be presumed a HIPAA breach unless you can prove otherwise. Think about that for a minute. Given that the average provider uses more than five mobile devices, a simple bar napkin calculation will show that most facilities are about to be subject to a tidal wave of potential risk. If you haven’t addressed your mobile risks yet, you should do so immediately – because the stakes are about to get much higher.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More