April 9, 2013 
April 8, 2013 by Mac McMillan, posted on Healthcare Informatics.
Mac McMillan recently featured a blog post for Healthcare Informatics that reviews the Breach Notification Rule with the new Omnibus Rule, and reminds readers that the rule went into effect last month. He analyzes the controversies of the previous “harm provision” and how the Omnibus Rule addresses the previous shortfalls under the “harm provision”.
McMillan reports on the four considerations of risk to account for when assessing if a compromise happened. First, not all breaches are equal. It’s dependent upon how much and how sensitive the PHI is. Next, look at who used/received the info and then what they did with that info. He points out there is a big difference between someone who receives PHI and destroys it, versus it falling into hands of someone that will commit identify theft with it. Last, it is important to consider is if/how the compromised information will be exploited.
McMillan then points out that notifications have not changed much. An incident compromising 500 or more individual records must still be reported within 60 days of knowing about the incident, and incidents with less than 500 records still have up until 60 days after the calendar year. However, there is a minimal change that smaller breaches can now be reported during the year that the incident was uncovered rather than the year of the occurrence. Also, under the new Omnibus Rule, McMillan points out that a risk analysis is only required if the organization is uncertain of the compromise.
Last, McMillan provides four simple tips to do before enforcement takes effect on September 24th. First, now is the time to revise internal breach notification programs and policies, and then educate the workforce of these new procedures. He also suggests to implement a new risk analysis and ensure documenting the analysis.
For the full article, click here to visit Healthcare Informatics site.
CynergisTek, Inc. 
Comments are closed.