HIPAA: Breaches much more likely to require disclosure under Mega Rule

December 4th, 2013 - Scott Kraft
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

One of the biggest changes under the HIPAA Omnibus Final Rule – known as the HIPAA Mega Rule – that was finalized earlier this year and took effect last month is a significant change to how you are required to handle breaches of patient protected health information (PHI). The change makes it far more likely your organization will need to report disclosures of PHI.

The final rule essentially forces you to assume that any breach of PHI needs to be disclosed unless you can establish that there is a “low probability” of patient harm from the disclosure. Previously, HIPAA used a “harm threshold” which meant you did not have to disclose a breach unless the breach carried a significant risk of financial, reputational or other harm to the affected party.

You’re now required to do an objective analysis to determine the low probability of harm, considering at a minimum the nature and extent of the disclosed information, the person to whom it was disclosed, whether the information was actually viewed or acquired and to what extent the disclosure was controlled or mitigated, according to analysis published by the law firm Quarles & Brady LLP.

Consider, for example, if a disclosure was inadventently faxed to the wrong physician, who then immediately destroyed the information. Such a breach would likely not have to be disclosed under the low probability standard. However, any breach for which you did not know the possible extent of the breach would have to be disclosed.

If you lost and then recovered a laptop, for example, you likely would not have visibility or confidence into the extent of the breach of PHI and would have to disclose the breach. The same could apply for lost paper records. When data is encrypted, however, you would likely not have to disclose the loss of the data, such as in the case of a lost or stolen laptop.

As a practical matter, the change makes it critical you and your practice safeguard patient data even more closely because it’s highly likely that any loss or breach of PHI would have to be disclosed, including costly efforts to ensure the patient is not adversely affected as a result.


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

Don't Let Your QPro Certification(s) Expire! Your Certifications Matter!
June 20th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
Hello QPro Members, Just a friendly reminder!                                                                                        ...
How to Properly Report Monitoring Patients Taking Blood-thinning Medications
June 18th, 2019 - Wyn Staheli, Director of Research
Codes 93792 and 93792, which were added effective January 1, 2019, have specific guidelines that need to be followed. This article provides some guidance and tips on properly reporting these services.
A United Approach
June 14th, 2019 - Namas
A United Approach As auditors, we all have a different perspective when evaluating documentation. It would be unreasonable to think that we all view things the same way. In my opinion, differing perspectives are what makes a great team because you can coalesce on a particular chart, work it through and ...
Documentation of E/M services for Neurology (Don't Forget the Cardiology Element)
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
According to Neurology Clinical Practice and NBIC, the neurologic exam is commonly lacking in documentation due to the extensive requirements needed to capture the appropriate revenue. With the lack of precise documentation, it results in a lower level of E/M than that which is more appropriate, which can cost a physician a lot ...
Medicare Now Reimburses for Remote Monitoring Services (G2010)
June 13th, 2019 - Aimee Wilcox, CPMA, CCS-P, CST, MA, MT, Director of Content
Medicare's 2019 Final Rule approved HCPCS code G2010 for reimbursement, which allows providers to be paid for remote evaluation of images or recorded video submitted to the provider (also known as "store and forward") to establish whether or not a visit is required. This allows providers to get paid for ...
Now is Your Chance to Speak Up! Tell CMS What You Think!
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
CMS is asking for your input, we all have ideas on how we would change healthcare documentation requirements and get rid of the burdensome requirements and regulations if it were up to us, so go ahead, speak up! Patients over Paperwork Initiative is being looked at to help significantly cut ...
Spotlight: Anatomy Images
June 13th, 2019 - Brittney Murdock, QCC, CMCS, CPC
When viewing CPT codes, Find-A-Code offers detailed anatomy images and tables to help with coding. For example 28445 offers a table with information to assist classification of gustilo fractures: Click on the image preview from the code information page to expand the image.

About Codapedia & Find-A-Code Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™/Find-A-Code™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association