Changes in Breach Notification Risk Assessments Under HIPAA
Reposted from Mintz Levin's Health Law & Policy Matters blog
The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed in this article involve two situations that often stymie health care providers: 1) appropriate disclosures to law enforcement and 2) sending appointment reminders to patients.
Covered entities and business associates having difficulty distinguishing the old “harm standard” and the new Omnibus Rule analysis should understand that the latter clearly imposes a rebuttable presumption that a breach of protected health information will require notification to affected individuals and the government, except under narrow circumstances. As the article concludes, “striking a balance between an inquiry that meets the risk assessment’s requirements but that minimizes the over-reporting of breaches will be a challenge that covered entities and business associates will need to address” for years to come.
Mintz Levin's Privacy team constantly monitors the HHS Office of Civil Rights’ enforcement and monitoring activities and writes posts noting trends in the area of HIPAA compliance, so keep checking the blog for current health care privacy and security news.