One week. That’s all that remains between now and September 23rd, the date at which the HIPAA Omnibus regulations go into effect. Covered entities under the law should have already completed most of the long-term compliance work under regulations – e.g., updating their Business Associate Agreements, revising their Notices of Privacy. Practices, completing a detailed risk assessment – but the biggest change that goes into effect in seven days is the shift in a presumption in what constitutes a breach.
In many ways, we’re coming off what seemed to be the summer of the data breach. A large number of breaches was reported from both covered entities and business associates, and the wave of reported breaches was punctuated by the second biggest ever in healthcare with Advocate. However, despite the increasing number and magnitude of these breaches, these were reported to HHS under a very conservative standard. On September 23 this radically changes.
Under the current standard, whenever a covered entity or a business associate learns of a security incident, the law allows the entity to presume that a data breach did not occur unless the data compromised presents a significant risk of financial or reputational harm. So let’s say one of your healthcare providers loses his phone. Despite the fact that he was text messaging other providers regarding a patient, the trace amount of PHI and the lack of things like social security numbers probably will allow you to hide under this presumption and designate the event as a security incident and not a data breach. Over the last few years, thousands of providers did just that.
Under the Omnibus standard, this event would most definitely be a data breach. That is because the Omnibus requires covered entities to presume a data breach occurred unless, through a risk assessment, they can demonstrate that it was unlikely that the data in question was compromised. We’ve talked about this before, but presumptions are everything in the legal world. It’s a staggering difference - think “innocent until proven guilty” and “guilty until proven innocent.”
Combined with the looming HIPAA Audit Program, this presumption change presents a major compliance risk to covered entities and business associates alike. Account for your possible PHI weak points now to avoid being in the unenviable position of having to prove your innocence months down the road.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Cyber security attacks wreaked havoc on the healthcare industry last year. According to a recent article by Healthcare IT News, more than 40 million patient records were compromised by data breaches in 2021. As we move forward into a new year, many healthcare leaders wonder what to expect next. To find out more, we spoke with Krishna Kurapati, the founder and CEO of QliqSOFT.
Home COVID-19 tests kits are quickly growing in popularity as case numbers continue to rise throughout the U.S. At first, it seemed like home test kits would be a viable solution that could help combat long lines at overwhelmed testing centers.
This year, we will see a shift in how healthcare organizations utilize digital solutions. Over the last two years, during the pandemic, organizations in nearly every industry adopted digital solutions to address temporary challenges. However, as time went on, many of these solutions proved valuable tools, and attitudes towards digital health have changed significantly.