HIPAA News

HIPAA: Breaches much more likely to require disclosure under Mega Rule

Leave a comment

One of the biggest changes under the HIPAA Omnibus Final Rule – known as the HIPAA Mega Rule – that was finalized earlier this year and took effect last month is a significant change to how you are required to handle breaches of patient protected health information (PHI). The change makes it far more likely your organization will need to report disclosures of PHI.

The final rule essentially forces you to assume that any breach of PHI needs to be disclosed unless you can establish that there is a “low probability” of patient harm from the disclosure. Previously, HIPAA used a “harm threshold” which meant you did not have to disclose a breach unless the breach carried a significant risk of financial, reputational or other harm to the affected party.

You’re now required to do an objective analysis to determine the low probability of harm, considering at a minimum the nature and extent of the disclosed information, the person to whom it was disclosed, whether the information was actually viewed or acquired and to what extent the disclosure was controlled or mitigated, according to analysis published by the law firm Quarles & Brady LLP.

Consider, for example, if a disclosure was inadventently faxed to the wrong physician, who then immediately destroyed the information. Such a breach would likely not have to be disclosed under the low probability standard. However, any breach for which you did not know the possible extent of the breach would have to be disclosed.

If you lost and then recovered a laptop, for example, you likely would not have visibility or confidence into the extent of the breach of PHI and would have to disclose the breach. The same could apply for lost paper records. When data is encrypted, however, you would likely not have to disclose the loss of the data, such as in the case of a lost or stolen laptop.

As a practical matter, the change makes it critical you and your practice safeguard patient data even more closely because it’s highly likely that any loss or breach of PHI would have to be disclosed, including costly efforts to ensure the patient is not adversely affected as a result.

Author: Scott Kraft

– Source: http://codapedia.com/article_647_HIPAA-Breaches-much-more-likely-to-require-disclosure-under-Mega-Rule.cfm#sthash.7s3WKhJi.dpuf

Leave a Reply