Take note that "risk of harm assessment" becomes "assessment of probability that PHI has been compromised," and subcontractors are now statutorily obligated to comply with the HIPAA Rules. – Bob Chaput, Founder and CEO, Clearwater Compliance
Nashville, Tenn. (PRWEB) January 25, 2013
The Omnibus Final Rule was sent to the Office of Management and Budget in March 2012. Most industry experts expected it to be published in the Federal Register in June 2012. However, HHS issued a news release announcing the Omnibus Final Rule will be published on January 25, 2013. According to the release, the Omnibus Final Rule enhances patient privacy protections, gives individuals new rights surrounding their health information and strengthens the government’s abilities to enforce the law.
“Our team will provide continued analysis over time,” said Bob Chaput, Founder and CEO of Clearwater Compliance. “Meanwhile, take note that ‘risk of harm assessment’ becomes ‘assessment of probability that PHI has been compromised,’ and subcontractors are now statutorily obligated to comply with the HIPAA Rules.”
“Risk of Harm Assessment” becomes “Assessment of Probability that PHI has Been Compromised”
The exact language of the Omnibus Final Rule states,“…Instead of assessing the risk of harm to the individual, covered entities and business associates must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following factors:
(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(2) The unauthorized person who used the protected health information or to whom the disclosure was made;
(3) Whether the protected health information was actually acquired or viewed; and
(4) The extent to which the risk to the protected health information has been mitigated.
…If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the protected health information has been compromised, breach notification is required.”
“Subcontractors” Now Statutorily Obligated to Comply
The final rule adopts the proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of “business associate” that a business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”
Clearwater Compliance is offering a complimentary white paper for Business Associates (And Agents & Subcontractors) to assist them on their journey toward HIPAA-HITECH compliance. The HITECH Act is the largest and most consequential expansion and change to federal privacy and security rules ever. The change areas comprise new federal privacy and security provisions that will have major operational, financial and legal implications for all hospitals, medical practices, health plans, and now their business associates – and – some business and service providers that were not previously considered business associates. The white paper is located on aboutHIPAA.com, sponsored by Clearwater Compliance, which contains a wealth of HIPAA and HITECH resources, including white papers, live and on-demand webinars and software demonstrations.
About Clearwater Compliance: http://clearwatercompliance.com
Clearwater Compliance, LLC, is all about and only about helping healthcare organizations and their service providers become and remain HIPAA-HITECH Compliant. Owned and operated by veteran, C-suite health care executives, Clearwater Compliance provides comprehensive, by-the-regs software and tools, risk management solutions, training, and professional services for small medical practices and healthcare startups to major healthcare systems, health plans and Fortune 100 companies. Since 2003, the company has served more than 250 organizations (including 100 hospitals). Find out more at clearwatercompliance.com.