Manatt Healthcare Partner Discusses Data Breach Assessment Changes Under HIPAA Omnibus Rule
"Many Factors Complicate Data Breach Assessment and Reporting"
SearchHealthIT
June 24, 2013 - Manatt's Robert Belfort, a partner in the firm's Healthcare Division, spoke to SearchHealthIT about the data breach assessment changes that will go into effect in September 2013 under the HIPAA omnibus rule.
SearchHealthIT reports that the new omnibus rule creates a new standard in which regulators will presume risk to health patients anytime information is inappropriately accessed, unless the provider can document reasons why harm is unlikely. Before the regulation was changed, a reportable breach occurred when personal health information for more than 500 patients was inappropriately accessed and when the misuse of this information could have led to real harm to patients.
Belfort said he thinks the new standard creates new ambiguities and increases the burden to providers. The new rule was supposed to make breach assessments more black-and-white by presuming harm to patients anytime PHI is accessed inappropriately. But Belfort noted that the preamble to the rule change states that regulators will still look at factors such as the nature of the information disclosed, the nature of the recipient and steps taken by the provider to mitigate the situation. Belfort said all of these considerations sound more appropriate under the old risk-of-harm standard.
"I'm not sure how some of those things relate to the possibility that the information has been compromised," Belfort said. "It shouldn't matter if it was HIV information or just someone's name and address and social security number. If you're moving away from risk to the patient, I don't see why the nature of the information is relevant."