"The HIPAA Omnibus Final Rule says you have to do a risk assessment on every PHI breach," says Scott Pettigrew, CSO, HMS Holdings Corp. The rule offers four criteria that enterprises must use to perform that assessment. According to Pettigrew, the criteria include the nature and extent of the PHI involved and the likelihood of re-identification of the individual; the identity/role of the authorized person who used the PHI; whether an unauthorized person acquired or viewed the PHI; and the extent of the mitigation of the risk to the PHI.
The HIPAA Omnibus Final Rule establishes other requirements. A business associate or contractor who handles data with PII/PHI, such as when performing data processing on behalf of the enterprise must now also notify in case of a breach where someone could trace the compromised data back to the affected individual.
"The Omnibus Rule requires more stringent oversight by Health and Human Services (HHS). With every breach notification that affects more than 500 people, HHS must launch an investigation," says Pettigrew. Organizations will have to have proof that they performed a risk assessment. They will have to stand by any risk assessment results that lead them to withhold notification, explains Pettigrew.
The rule also bridles the state laws, permitting the more stringent ones to apply only as long as they are not contradictory to the federal law. Enterprises must update their procedures and train their workforces on all the new breach rules to satisfy the Omnibus Rule.
The Future of Data Breach Notification
A single federal law applicable to all PII/PHI would seem to benefit enterprises. Congress has been writing and circulating bills for years that would accomplish something like this. "Most of those bills would preempt the state laws, which would be very good for businesses because we wouldn't have to look at those state laws anymore. We would only have to follow one federal law to craft a notification," says Mathews. Unfortunately, congress is not passing these bills yet.
To stay abreast of state laws, a quick search on Google for "data breach chart" or "data breach notification chart" will return links to charts and indexes of state notification laws, including some hosted on attorneys' professional websites. For federal laws, look to HIPAA/HITECH and the HIPAA Omnibus Final Rule. For actual breaches, keep the appropriate attorney/privacy expert on speed dial.
Sign up for CIO Asia eNewsletters.