The HIPAA Breach Notification Rule was Established by the HITECH Act That Brought Along the HIPAA Privacy and HIPAA Security Rules.
HIPAA Breach Notification Rule Summary
The HIPAA Breach Notification Rule was established by the HITECH Act, a modification to HIPAA, that brought along the HIPAA Privacy and HIPAA Security Rules. The rule states that covered entities and business associates are required to notify affected individuals when there has been more than a low probability of an impermissible use or disclosure of protected health information (PHI). Breach Notification can be triggered by simply losing control of PHI or temporarily allowing others to have access to the PHI.
In addition to notifying affected individuals, breaches of unsecured PHI, must also be reported to the Secretary of the Office of Civil Rights’ (OCR) Health and Human Services (HHS). For breaches affecting 500 or more individuals, notice of the event will be posted on the HHS website. For breaches affecting 500 or more residents of a state or jurisdiction, a media notice must be made.
Under HIPAA, when a breach occurs, it is the obligation of the business associate or agent of the business associate to pass notice of the breach upstream to the covered entity for reporting. For each security incident, the HIPAA Covered Entity and HIPAA Business Associate must prove they have either conducted Breach Notification or performed a risk analysis that found there was only a low probability the information was compromised.
4 Key Issues When Conducting a Risk Analysis
There are four key issues that must be addressed when conducting a risk analysis. These include:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated
With the addition of the HIPAA Omnibus Rule, several changes were made affecting the responsibilities of data storage companies that stored PHI. These changes go as follows: (1) the conduit exception is not sufficient for relieving the responsibility of business associates that have persistent access to PHI (2) business associates are responsible for protecting e-PHI, with or without a BAA, (3) both covered entities and business associates must conduct a risk analysis that examines the probability of exposure of e-PHI rather than the “risk of harm” standard as provided in the Breach Notification Rule, and most importantly (4) covered entities are liable for their business associates penalties/mistakes.
Contact us today if you are interested in our HIPAA Compliant Hosting Services!