The Workgroup for Electronic Data Interchange recently published guidance on required steps to take to determine if a breach of protected health information must be reported to affected patients and the Department of Health and Human Services.

The guidance covers the HIPAA Omnibus Rule enacted in 2013 that changed some breach notification procedures, including a presumption that a breach is presumed to have occurred when discovered, until an entity can demonstrate a low probability that PHI has been compromised.

Redspin Report: 2014 a Bad Year for Health Data Breaches

For instance, there are several ways that notification need not be made following a breach. Compromised information may turn out to not include protected health information, or compromised PHI is unusable, unreadable or indecipherable to unauthorized persons through encryption or other means. There also are three scenarios where unintentional access to PHI or inadvertent disclosure need not be reported because the incidents involved trusted authorized persons or the information disclosed is not retainable by the recipient.

Absent those exemptions, the guidance then walks through a risk assessment to determine the probability of a breach and the decision processes necessary to determine if the breach requires notification. Finally, there are a series of procedures to implement improvements to the security and confidentiality of protected health information. The guidance is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access