Susan McAndrew of the HHS Office for Civil Rights has provided insights about an omnibus package of regulations - including a revised version of the HIPAA breach notification rule - that's now in the final stages of review.
The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, says McAndrew, OCR's deputy director of health information privacy. The interim final version of the breach rule, now in effect, contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.
"We are hopeful that the standards [in the final rule] will be sufficiently clear for how to determine if a breach is reportable, McAndrew says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). "We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment."