HIPAA: Breaches much more likely to require disclosure under Mega Rule

December 4th, 2013 - Scott Kraft
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

One of the biggest changes under the HIPAA Omnibus Final Rule – known as the HIPAA Mega Rule – that was finalized earlier this year and took effect last month is a significant change to how you are required to handle breaches of patient protected health information (PHI). The change makes it far more likely your organization will need to report disclosures of PHI.

The final rule essentially forces you to assume that any breach of PHI needs to be disclosed unless you can establish that there is a “low probability” of patient harm from the disclosure. Previously, HIPAA used a “harm threshold” which meant you did not have to disclose a breach unless the breach carried a significant risk of financial, reputational or other harm to the affected party.

You’re now required to do an objective analysis to determine the low probability of harm, considering at a minimum the nature and extent of the disclosed information, the person to whom it was disclosed, whether the information was actually viewed or acquired and to what extent the disclosure was controlled or mitigated, according to analysis published by the law firm Quarles & Brady LLP.

Consider, for example, if a disclosure was inadventently faxed to the wrong physician, who then immediately destroyed the information. Such a breach would likely not have to be disclosed under the low probability standard. However, any breach for which you did not know the possible extent of the breach would have to be disclosed.

If you lost and then recovered a laptop, for example, you likely would not have visibility or confidence into the extent of the breach of PHI and would have to disclose the breach. The same could apply for lost paper records. When data is encrypted, however, you would likely not have to disclose the loss of the data, such as in the case of a lost or stolen laptop.

As a practical matter, the change makes it critical you and your practice safeguard patient data even more closely because it’s highly likely that any loss or breach of PHI would have to be disclosed, including costly efforts to ensure the patient is not adversely affected as a result.


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

CMS and HHS Tighten Enrollment Rules and Increase Penalties
October 1st, 2019 - Wyn Staheli, Director of Research
This ruling impacts what providers and suppliers are required to disclose to be considered eligible to participate in Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The original proposed rule came out in 2016 and this final rule will go into effect on November 4, 2019. There have been known problems ...
Federal Workers Compensation Information
October 1st, 2019 - Wyn Staheli, Director of Research
When federal employees sustain work-related injuries, it does not go through state workers compensation insurance. You must be an enrolled provider to provide services or supplies. The following are some recommended links for additional information about this program. Division of Federal Employees' Compensation (DFEC) website Division of Federal Employees' Compensation (DFEC) provider ...
E-Health is a Big Deal in 2020
September 16th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
The new 2020 CPT codes are on the way! We are going to see 248 new codes, 71 deletions, and 75 revisions. Health monitoring and e-visits are getting attention; 6 new codes play a vital part in patients taking a part in their care from their own home. New patient-initiated ...
Chiropractic 2020 Codes Changes Are Here
September 9th, 2019 - Wyn Staheli, Director of Research
There are some interesting coding changes which chiropractic offices will want to know about. Are codes that you are billing changing?
Q/A: Is the Functional Rating Index by Evidence-Based Chiropractic Valid?
September 9th, 2019 - Wyn Staheli, Director of Research
Question Is the Functional Rating Index, from the Institute of Evidence-Based Chiropractic, valid and acceptable? Or do we have to use Oswestry and NDI? Answer You can use any outcome assessment questionnaire that has been normalized and vetted for the target population and can be scored so you can compare the results from ...
List of Cranial Nerves
September 3rd, 2019 - Find-A-Code
Cranial nerves are involved with some of our senses such as vision, hearing and taste, others control certain muscles in the head and neck. There are twelve pairs of cranial nerves that lead from the brain to the head, neck and trunk. Below is a list of Cranial Nerves and ...
So How Do I Get Paid for This? APC, OPPS, IPPS, DRG?
August 21st, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
You know how to find a procedure code and you may even know how to do the procedure, but where does the reimbursement come from?  It seems to be a mystery to many of us, so let's clear up some common confusion and review some of the main reimbursement systems.  One of the ...

About Codapedia by InnoviHealth Systems Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™ by InnoviHealth Systems™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association