Adios Harm Threshold! vive la Risk Assessments! Now that we have all been able to make our way through the epic document that is the Omnibus HIPAA rule on privacy, security and data breach notification, a few interesting things have floated to the top. First, if you were doing the right thing before – being proactive, regular privacy and security risk assessments, incident response plan, etc – this rule validates all your actions. If you weren’t doing the right thing, the HHS stick just got bigger and a little longer. The Harm Threshold was eliminated in favor of a 4 factor risk assessment. The burden of proof is still on the CE or BA, but the harm to individual has been de-emphasized.
The HIPAA Final Omnibus Rule seeks to better protect patients by removing the harm threshold. Covered entities and their business associates must still conduct an incident risk assessment, for every data security incident that involves PHI. Rather than determine the risk of harm, the risk assessment determines the probability that PHI has been compromised, based on four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
These factors should be considered in combination and not in isolation when conducting a risk assessment. If an entity has an incident and its risk assessment concludes that there was a very low probability that the PHI was compromised, it may choose to not notify the affected individuals or the Department of Health and Human Services Office for Civil Rights (OCR). However, the Final Omnibus Rule requires that the entity maintain a “burden of proof” if its conclusions are called into question. If the OCR investigated the covered entity, it would be required to provide conclusive documentation of its incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action.
Documentation is still key, as it was before, but both CE’s and BA’s would be wise to find a software solution to their data breach risk assessment, documentation and reporting requirements.
You can read the full article: 4 risk factors to understand since HIPAA final rule on privacy and security