Preventing data breach and reporting after Omnibus HIPAA

The Omnibus HIPAA breach definition makes it much easier for healthcare organizations’ personal health information (PHI) to become compromised. It also specifies that when data loss or breach happens, it must be reported to the individuals affected, HHS and sometimes, even the media.

Breach no longer implies necessary threat, but rather, a compromise occurs when a covered entity or business associate experiences an impermissible use or disclosure of PHI. Furthermore, unless healthcare executives can prove low probability of breach, they must report it. This is very serious because the healthcare organization’s reputation is on the line every time a report takes place.

Four questions that can help to determine if a PHI was breached:

1. What type of information was accessed or used? Is it sensitive data, financial information?
2. Who was the unauthorized person to gain access or view the PHI? Was it an employee, a business associate?
3. Determining whether the PHI was actually viewed or acquired.
4. Were there steps in place to mitigate risks, diminish disclosure and the use of the PHI?

The primary goals of the expanded data breach definition are to protect patient privacy, ensure top level information security execution within a healthcare facility, and extend the same requirements to all business associates who have access to any of the facility’s sensitive data.

The implication for health care providers is they must now establish an even stronger risk prevention plan and information security setup. Not only must they do this for the protection of their sensitive data, but also due to the increased risk of negative exposure for their facility.

Four actions healthcare executives and CIOs can take to improve their efforts and prevent data breach:

1. Verify consistency with the healthcare facility’s practice and HIPAA requirements, while keeping in mind the new definition.
2. Have the necessary risk assessments in place to determine if a particular incident is a breach.
3. Update policies and procedures so they adhere to the individual and HHS notification requirement regulations in Omnibus HIPAA.
4. Train staff and ensure they understand what the data breach definition means to them, their limits and PHI access criteria.

With the Omnibus HIPAA breach implications everyone is looking for solutions and information security experts to assure compliance, avoid failed audits, data breach and ultimately high business costs. Preparation requires investment, but it is a high return investment that will be less expensive for healthcare providers in the long run.