Did you know that the new HIPAA Privacy and Security final rule came into effect March 26? The rule, more commonly known as the HIPAA Omnibus Rule brings about a drastic change in the way practices are supposed to handle breach notifications. This change is something you should be aware of.
Under the old rule, when a data breach occurred, health-care providers were presumed innocent of harming patients until the patients proved otherwise. Under the new rule, when a data breach occurs. The opposite is the case: Health-care providers are presumed guilty of harming patients, and will have to prove their innocence.
Additionally, the new rule includes business associates (such as vendors), which could catch providers off guard.
Small health-care providers without resources to understand the changes can rely on government programs to help them do risk analysis. In essence, the programs recommend that you identify all parties with access to health records and ensure that you are protecting those records in compliance with the new rule.
Although the rule was effective on March 26, providers and their business associates have 180 days to comply before the Office for Civil Rights begins enforcement, beginning on September 23. Until then, however, providers will still be held accountable under the old rules. If you need help ensuring that your systems are secure, please contact us today.