HIPAA-HITECH Act Data Breach Audit

The Final Rule on HIPAA-HITECH Act released by HHS after a prolonged public discussion makes some changes in the way the Data Breach notification needs to be handled by Covered Entities and Business Associates.

The key points of the Final Rule are as follows:

1. Breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant harm to the individual as was provided under the interim final rule.

2. The onus of proving that an “Impermissible use or disclosure” of PHI is not a “breach” lies with the covered entity. In other words, all impermissible uses are “breaches” unless the entity “Demonstrates” that there is a low probability that the PHI has been compromised.

This essentially means that whenever an “Impermissible” use or disclosure is observed, the entity should initiate a “Data Breach Audit” process and document if the impermissible use is in fact a “Breach”. Such a “Data Breach Audit” will determine if there has been a breach and whether the probability of compromise is significant.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in HIPAA, Privacy. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.