The HIPAA Omnibus Final Rule went into effect on March 26, 2013 and full compliance is expected by September 23, 2013. The amended rule expands the accountability of business associates, and requires business associates to assume responsibility for keeping data safe and secure. After March 26, if a breach occurs for which a business associate is responsible, the business associate must pay the cost of breach remediation. Further, similar to covered entities, business associates are responsible for assessing risk when a breach occurs and reporting the breach.
In order to assist business associates and covered entities with HIPAA compliance, the new rule provides four factors that business associates and covered entities must evaluate to determine if a breach has occurred. Under the HIPAA Omnibus Final Rule, risk assessments focus on the risk that Protected Health Information (PHI) has been compromised as opposed to an evaluation of harm to a particular individual resulting from a breach.
The rule includes four factors to consider when a breach occurs to determine if PHI has been compromised and to what level reporting of the breach must be made. The Journal of AHIMA outlined the four factors, which include:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the protected health information or to whom the disclosure was made.
- Whether the protected health information was actually acquired or viewed.
- The extent to which the risk to the protected health information has been mitigated; for example, was the breached information received via facsimile and then destroyed or actually used and/or shared?
In addition to the four risk assessment factors, 19 unique identifiers must be reported with each risk assessment. According to the Journal of AHIMA, the unique identifiers include:
- All geographic subdivisions smaller than a state
- For dates directly related to the individual, all elements of dates, except year (i.e., date of birth, admission date, discharge date, date of death)
- All ages over 89 or dates indicating such an age
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical Record number
- Health Plan number
- Account numbers
- Certificate or license numbers
- Vehicle identification numbers, including license plate numbers
- Device identification/serial numbers
- Universal Resource Locators
- Internet Protocol addresses
- Biometric Identifiers
- >Full face photographs and comparable images
- Any other unique identifying number, characteristic, or code
Facilities should begin considering these more objective factors when conducting risk assessments to determine if PHI has been compromised and breach notification is necessary. In order to ensure compliance with HIPAA guidelines, the four risk factors and 19 unique identifiers should be considered and reported with each potential breach.