Gone in the final omnibus HIPAA rule, issued Jan. 17 and being published on Jan. 25, is the “harm threshold” under which organizations did not have to report unless a breach was assessed as potentially causing financial, reputational or other harm to affected individuals. It is replaced with a risk assessment threshold that OCR believes is more objective when determining if protected health information has been compromised.
The risk assessment has four steps, Pollack notes: determine the nature and extent of PHI involved, consider the nature of the unauthorized person who received the information, determine the extent that PHI is actually acquired or viewed, and consider actions taken to mitigate the risk (such as obtaining assurance that the recipient will not use or share the information).
The reality is that if all four questions cannot be satisfactorily answered, a breach must be reported, Pollack says, and that means more reporting to come. “If you have PHI, you need to have a process for doing an assessment as a breach occurs and to ensure a consistent methodology is used,” he advises. “The burden of proof is on the entity to prove they have done the assessment and PHI was not compromised.”
Covered entities under final breach notification rule must develop new agreements with business associates that reflect the BAs are now treated as covered entities under the law and fully understand their duties to oversee the HIPAA compliance of subcontractors. But many BAs are only vaguely familiar with the regulations--before and after the final rule—and need plenty of education, and then will need to educate their subcontractors, Pollack says.
Importantly, many BAs are not aware that they now can be aggressively pursued by regulators, Pollack adds. For instance, BAs may not appreciate how rigorously they now have to document security risk assessments, breach assessments and proactive steps taken to rectify deficiencies because, again, the initial assumption now is that a breach has occurred and the burden of proof is on the entity to prove that adequate protections have been in place.
He expects business associates that don’t get the message to finally get the message from OCR or state attorneys general through heavy fines, as it is clear that BAs will be targeted. “Proof without documentation opens the door to charges of operating in a negligent fashion, opening the door to fines.”