HIPAA’s Omnibus rule has a compliance date of September 23. This article reviews current state of enforcement and that rule.
From the article: Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an interview with Healthcare IT News.
“It’s a relatively small part of what we do here,” he said. Most cases OCR handles involve corrective action rather than monetary fines.
Don’t let that cloud your judgment or start shirking your privacy and security obligations, however. Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, says Rodriguez, and that’s most likely going to continue.
Also provides a summary of the changes occurring with the Omnibus rule:
In the Omnibus final rule, not only was the harm standard removed but also a breach is now defined as “impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised.”
“There are two changes there,” said Robert Belfort, healthcare attorney at Manatt, Phelps & Phillips, in an interview with Government Health IT earlier this year. “First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”
Also among the most significant changes in the final rule is that business associates are now accountable for violating specific privacy and security rules.
This should have come as no surprise to BAs, said Rodriguez. “We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations,” he said.