HIPAA Mega-Rule Could Mean Hefty Costs for Providers Forced to Report More Breaches

January 28, 2013 – In The News
Decision Health Part B News

Expect to report data breaches to HHS more often – and at a higher cost – to comply with provisions in the agency’s long-awaited HIPAA “mega-rule.” The Jan. 17-released mega-rule finalizes four proposed and interim final rules, tightening the agency’s stance on penalizing the compromise of patient protected health information (PHI).

The rule, which goes into effect March 26 but has a Sept. 23 compliance date, shows HHS’ “renewed emphasis to push the provider community to take privacy and security more seriously

One of the most significant changes for providers is to the breach-notification requirements, which put the onus on the provider to prove when notification isn’t warranted.

Previously, providers determined the need for notification using a “harm standard,” and you had to notify HHS of breach only if it resulted in significant risk of harm to affected patients. Now, providers must report data breaches to HHS’ Office for Civil Rights (OCR) unless they can prove the unsecured PHI wasn’t compromised through a four-pronged risk assessment, says William Maruca.