Monday, September 23, 2013 marked the date for full compliance under HIPAA Omnibus’ latest regulations.
But did you know the definition of a breach changed? That’s right! In the final rule published in the January 25th Federal Register, the U.S. Department of Health and Human Services altered the definition of breach deleting the verbiage, “such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual” and replaced with “compromises the security or privacy of the protected health information”.
What does this mean to you? Instead of assessing the risk of harm to the individual, covered entities must assess the probability that the protected health information (PHI) has been compromised based on a risk assessment that considers at least the following four factors:
- The nature and extent of the PHI involved.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
Aside from knowledge of the rules and working to abide by them, one of the best ways to protect your practice is document, document, document!! Even if you’re unsure on whether something is classified as a breach or a security incident, make note of it. Document what happened and how you addressed it.