The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013, designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI). The rule went into effect on March 26, 2013, and it includes some changes to data breach response requirements.
HIPAA required covered entities to conduct a risk assessment when a data breach occurs. The risk assessment would determine whether the breach impacted an individual enough to require notification. If the risk assessment determined that the risk was low, then the covered entity did not need to notify the individuals nor the Office of Civil Rights (OCR). According to HITECH Answers, the HIPAA Omnibus rule now requires that covered entities retain documentation on the risk assessment performed that could be provided to the OCR if their decision not to notify is called into question, in other words, a burden of proof. If the OCR finds that the covered entity did not meet the burden of proof, it may find the covered entity to be negligent and fine them accordingly or require them to perform corrective action. The rule also adds new requirements for determining the harm to the individual.
Also of interest to HIPAA data breaches is the revised language that broadens the definition of business associates to include more downstream providers who touch PHI. This increases the number of companies that will need to adhere to the HIPAA requirements. These companies will need to become compliant before the rule takes effect but many may not even be aware that they will soon be subject to HIPAA.