To comply with the HIPAA omnibus final rule, healthcare organizations need to revise their risk assessment process to determine whether they must notify affected individuals of a breach.
If there's one conclusion you can reach looking back at data breaches over the last decade, it's that organizations face more threats than ever, according to HIPAA professionals.
Also known as the "mega rules," the omnibus final rules are clarifications and finalizations of the HIPAA rules of 2003, the HITECH rules of 2008, and the incorporation of the Genetic Information Nondiscrimination Act (GINA) rules into the Privacy and Security rules. These are not sweeping changes, as many describe, but clarifications. In most cases, what are now final rules are best practices that organizations should already be following.
Editor's note: The following is adapted from the HCPro book The HIPAA Omnibus Rule: A Compliance Guide for Covered Entities and Business Associates, by Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, Mass. To learn more about the book, go to www.hcmarketplace.com.
There is some common ground in the corrective action plans (CAP) that OCR has imposed on healthcare organizations it has investigated for HIPAA privacy and security deficiencies.
