Has your practice’s policies and procedures been updated since the U.S. Department of Health and Human Services (“HHS”) issued the final rule to the Health Insurance Portability and Accountability Act (“HIPAA”), which required compliance by September 23, 2013? If not, it is likely that your policies and procedures–and especially the policy related to the breach notification standard–need to be updated.
The final rule’s modification to the breach notification standard establishes that an impermissible use or disclosure of unsecured protected health information (“PHI”) is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information was compromised, or another exception applies. Thus, in the final rule, HHS ultimately struck a balance by establishing a presumption standard, and detailed that organizations must assess the probability that PHI was compromised based on a risk assessment that considers at least the following factors:
- The nature and extent of the health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the health information or to whom the disclosure was made;
- Whether that health information was actually acquired or viewed; and
- The extent to which the risk of the health information has been mitigated.
According to the final rule, if the analysis of the factors described above fails to demonstrate that there is a low probability that the PHI was compromised, breach notification may be required.
Tell us how your organization responded to the HIPAA/HITECH final rule? Share your ideas with us by clicking on the comment button below. We’d love to hear from you.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.