New Data Breach Rules Have Big Impact
Author:CSC Global Cybersecurity Consulting Team
This white paper addresses how information security incident response and data breach notification is affected by the new rules issued by the U.S. Department of Health and Human Services’ Office of Civil Rights (HHS OCR) when they published the Omnibus Rule on Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) amendments.
Scope of the Problem
HIPAA and HITECH have long required both covered entities and their business associates to provide notice when a data breach involving PHI was discovered, and provided a mechanism for such notification depending on the number and character of the records breached.
The new rule subtly but substantially changes the data breach regime in ways that could lead to substantial civil and criminal liability for covered entities, their associates and subcontractors. In particular, the new rule fundamentally alters the definitions of medical data "breaches" and the responsibility for investigating and reporting them. As such, it increases the need for both covered entities and their business associates to have a robust, comprehensive and documented security incident response, forensics and investigative capability.
It is virtually impossible for any covered entity or business associate to completely eliminate the potential that PHI will be either used improperly or disclosed improperly. Therefore, under the new rules, it is critically important that entities that deal with PHI have a comprehensive, robust and documented incident response program, together with a training and awareness program that is reasonable in light of the nature of the institution and the PHI collected or used. The new regulations place a premium on conducting and documenting the incident risk assessment process, and on supporting conclusions about whether a reportable breach has or has not occurred.
Having such a program in place can be the difference between having no reportable breach, mitigating the harm from a potential breach beforehand, or having a reportable breach that can cost the institution millions of dollars in damages, fines and lost reputation. A well-tailored security incident response policy, together with the capability of conducting a comprehensive forensic investigation of allegations of data loss will ensure compliance with regulation, prevent damage to patient privacy, and inevitably provide better patient outcomes by encouraging the responsible flow of PHI to those who need it.
Find Out More
If you have questions or concerns about your organization's ability to meet the new breach rules, or to become and remain compliant with federal and state regulations, Read the White Paper: New Data Breach Rules Have Big Impact (.PDF, 825KB), and please Contact Us