Deciphering HIPAA Omnibus Rule Breach Notification
June 26, 2013
Despite the new instructions on breach notification in the HIPAA Omnibus Rule, there’s still plenty of uncertainty about what constitutes a “compromise” of data that triggers notification, says privacy attorney Adam Greene.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
“The problem is that we don’t have a clear definition of ‘compromise,'” Greene says. “And you can have very different reasonable definitions of compromise and come up with completely different results” in assessing whether an incident is a reportable breach under the HIPAA Omnibus Rule, he adds.
Under HIPAA, a breach is one type of incident. “Some incidents are breaches, and some are not,” Greene says. “By contrast, a ‘compromise’ is what happened to data. By looking at what happened to the data, you can determine properly … whether the incident is a breach.”
Greene expects the Department of Health and Human Services’ Office for Civil Rights, the HIPAA enforcement agency where he formerly worked, will eventually provide greater clarification about what’s considered a compromise. But in the meantime, to prepare for HIPAA Omnibus’ Sept. 23 compliance deadline, Greene suggests that organizations come up with “a consistent, objective approach” to assessing incidents for potential breach notification, and most important, thoroughly document that approach. “If you have such an approach documented, you’ll be in pretty good shape,” he says.
In developing that approach to assessing, Greene says, “always consider … whether the end results are reasonable. You don’t want to be over-notifying, [using a] methodology that leads to [reporting incidents] when there’s no impact,” he says. “Don’t become a slave to your methodology. Always apply common sense, and adjust your methodology if you find it’s flawed.”
Time for Testing Is Now
The attorney urges healthcare organizations to test their incident assessment method now “rather than applying this for the first time when there’s a breach after the compliance date.”
Article written by Marianne Kolbasuk McGee