Assessing Breaches: Four Key FactorsPrivacy Expert Explains HIPAA Omnibus Guidance
Borten, president of the security consulting firm The Marblehead Group, explains in an interview with HealthcareInfoSecurity that the factors that need to be assessed include:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Mitigating risk to PHI once there's been a disclosure can prove difficult, Borten says. "There's not much you can do when the horse is already out of the barn."
The factors to be considered in an assessment of whether an incident is a reportable breach had been included in the preamble of the interim final breach notification rule that's been in effect since September 2009, Borten notes. But the final version of the rule, included within HIPAA Omnibus, clarifies the guidance.
In the interview, Borten also addresses breach notification requirements for business associates under the new rule.
The HIPAA Omnibus Rule went into effect on March 26 and has a compliance deadline of Sept. 23.
Before founding The Marblehead Group in 1999, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer. She has written a new book, The HIPAA Omnibus Rule, which is slated to be released by HCPro this week.