One week. That’s all that remains between now and September 23rd, the date at which the HIPAA Omnibus regulations go into effect. Covered entities under the law should have already completed most of the long-term compliance work under regulations – e.g., updating their Business Associate Agreements, revising their Notices of Privacy. Practices, completing a detailed risk assessment – but the biggest change that goes into effect in seven days is the shift in a presumption in what constitutes a breach.
In many ways, we’re coming off what seemed to be the summer of the data breach. A large number of breaches was reported from both covered entities and business associates, and the wave of reported breaches was punctuated by the second biggest ever in healthcare with Advocate. However, despite the increasing number and magnitude of these breaches, these were reported to HHS under a very conservative standard. On September 23 this radically changes.
Under the current standard, whenever a covered entity or a business associate learns of a security incident, the law allows the entity to presume that a data breach did not occur unless the data compromised presents a significant risk of financial or reputational harm. So let’s say one of your healthcare providers loses his phone. Despite the fact that he was text messaging other providers regarding a patient, the trace amount of PHI and the lack of things like social security numbers probably will allow you to hide under this presumption and designate the event as a security incident and not a data breach. Over the last few years, thousands of providers did just that.
Under the Omnibus standard, this event would most definitely be a data breach. That is because the Omnibus requires covered entities to presume a data breach occurred unless, through a risk assessment, they can demonstrate that it was unlikely that the data in question was compromised. We’ve talked about this before, but presumptions are everything in the legal world. It’s a staggering difference - think “innocent until proven guilty” and “guilty until proven innocent.”
Combined with the looming HIPAA Audit Program, this presumption change presents a major compliance risk to covered entities and business associates alike. Account for your possible PHI weak points now to avoid being in the unenviable position of having to prove your innocence months down the road.
Krishna Kurapati is the Founder and CEO of QliqSOFT. He has more than two decades of technology entrepreneurship experience. Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges using artificial intelligence (AI)-powered digital technologies across the U.S. healthcare system.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Discover how digital platforms are revolutionizing community health centers (CHCs) by alleviating staff burnout through automated messaging, customizable patient engagement, and care coordination. By leveraging chatbot-based digital automation, CHCs can reduce manual tasks, increase patient satisfaction, close gaps in care, and improve staff work-life balance. These platforms enable secure texting, virtual visits, and efficient communication, ensuring patients receive timely and personalized care while allowing staff to focus on patient needs and streamline workflows.
Discover the significance of conversational AI in healthcare as it replicates natural interactions between humans and machines, offering personalized and interactive patient experiences. Healthcare providers benefit from automating administrative tasks, answering queries, disseminating information, tracking symptoms, and analyzing clinical data. Successful implementation requires prioritization, agility, measurement, expansion, realistic expectations, and choosing a results-oriented partner.
During their search for a full telemedicine solution, FCN leaders discovered that QliqSOFT brought to the table all types of mission-critical digital patient communications. Though hesitant initially, FCN leaders “decided to take a leap of faith,” Rocha said, explaining that “terms like chatbot and AI made people nervous.”