Changes to the HIPAA Omnibus from 2015 may affect the way that your healthcare business protects information and how you handle potential security breaches. As mobile and cloud technology continues to play an increasingly important in the healthcare industry, it’s important for all organizations to understand how these changes affect them.
The Breach Notification Rule
The latest version of the Breach Notification Rule requires healthcare providers and their associates to notify patients when unsecured health information has been accessed by an unauthorized party. Companies will also need to notify the Secretary of breaches that involve unsecured protected health information.
If a security breach affects more than 500 people within a state or jurisdiction, then the company must also notify popular media outlets in the area.
Forward-thinking healthcare providers often use cloud services that protect them from potential security breaches. By choosing a cloud service provider with excellent security measures, you can protect your business and your patients. It’s never a bad idea to have a notification system in place, but a reliable cloud service provider will make such a system unnecessary.
The Definition of Security Breach
The latest HIPAA rules offer more guidance on deciding whether a breach has taken place. When determining whether they need to contact patients about security breaches, healthcare providers and their associates should consider at least four important factors:
- Whether an unauthorized person acquired or simply viewed the protected healthy information
- Who the unauthorized person who viewed or accessed the information is
- Whether someone could trace information back to specific patients
- How the company addressed the data leak and plans to prevent future security issues
If your business decides that a security flaw does not pose significant risk in these areas, then you may not need to notify patients. The burden of proof, however, will fall on your business. If the government wants to learn more about the breach, then you will need to provide support showing why you decided not to notify patients.
Sharing Information With Health Insurance Companies
In general, healthcare providers are free to share information with the health insurance companies that patients use. The Omnibus Ruling, however, gives patients a way to keep services secret from their insurance providers. To do this, the patient must pay for services in cash and request that you do not share the information with his or her insurance company.
Few patients will take this option, but some may use it to prevent their insurance companies from learning about sexually transmitted diseases and other conditions that they may find embarrassing. You are still required to keep all information in the patient’s medical records, but you cannot share the information with insurance companies when the patient submits a request.
HIPAA rules exist to make sure healthcare companies give patients the security and privacy that they deserve. Changes to the HIPAA Omnibus help solidify this goal, but they may mean that you need to alter your approach to maintaining patient records. As long as you follow the new rules and keep notes carefully, your business can meet patient needs and stay within the law.