individuals; and 3) technical safeguards, which include processes designed to protect data and control access, such as using authentication controls and encryption technology. Breach Notification Requirements. HHS also requires covered entities to notify individuals when their unsecured PHI has been breached. This change resulted from the HITECH Act enacted in 2009 and subsequent regulatory rulemakings in 2009 and 2013. The HIPAA Breach Notification Rule defines a “breach” to be the acquisition, access, use, or disclosure of PHI in a manner that is not permitted by the Privacy Rule and which compromises the security or privacy of the PHI. Unsecured PHI is PHI that is not secured in accordance with certain National Institute of Standards and Technology (NIST) standards recognized by the Secretary of HHS. Affected individuals must be notified “without unreasonable delay” and no later than 60 days after discovery of the breach. If a breach exceeds 500 people, HHS and the media must also be notified within this same time frame. HHS must also be notified annually of any data breaches involving fewer than 500 people, regardless of size. In 2013, the HIPAA Omnibus Rule revised the Breach Notification Rule to alter the standards for determining when a breach has occurred. As a result, the acquisition, access, or use of PHI in a manner not permitted under the Privacy Rule is presumed to be a breach, unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised (based on an analysis that looks to certain factors spelled out in the regulations). If the covered entity or business associate concludes that use or disclosure not permitted by the Privacy Rule does not rise to the level of compromising the PHI, the burden is on the covered entity/business associate to justify that decision. HIPAA Exemptions. HIPAA does not apply to information that does not meet the definition of PHI such as: 1) information that is not individually identifiable because it is “de-identified” (as defined in the Privacy Rule); or 2) information that is used by individuals or entities that do not fall within the definitions of “covered entities” or “business associates” of
21
Made with FlippingBook - Online Brochure Maker