Most of these factors were likely considered previously by CEs, but they were considered in a different context. If a CE or BA concludes that a breach has not occurred, documentation sufficient to meet this burden of proof must be maintained. A decision to notify does not require an analysis of risk because the occurrence of a breach is presumed.
There are also a few requirements that remain the same, even if there was some clarification.
PRE-EMPTION OF STATE LAW
HHS has reminded CEs and BAs that HITECH only pre-empts state law to the extent HITECH is more strict. If a state law is more strict, then the CE and BA must follow the requirements of the state law as HHS considers the regulation to be the federal floor of privacy protection. Depending on the scope of the breach, a state may have more strict requirements involving timeliness of notification, notification to state agencies, and content of the notification letter. Some states such as Florida, Vermont, and Wisconsin for example require notification within 45 days. Other states expect notification within several weeks to 30 days even though the state law does not specify an exact time period. Knowledgeable privacy counsel is critical to advise organizations about these issues because the state statutes (and how they are applied) can be confusing.
HHS has made clear that the ability to deliver high-quality care must be balanced with compliance issues because each organization is unique and presented with different challenges. This does not mean that compliance takes a backseat to patient care issues, but it does mean that healthcare organizations can continue to document their decision-making process when accepting and addressing risks.
For example, the use of encryption continues to be an addressable standard. This means that it is not required to be adopted by healthcare organizations and vendors. There are several advantages, however, if the technology is implemented. These include safe harbors for breach notification and the ability to show clear compliance with certain HIPAA Security Rule requirements. If an organization decides not to deploy encryption technology, a documented risk assessment is required which details the decisions made by the organization and what other protections are in place to address the safeguarding of ePHI. OCR may disagree with your assessment.Recently, HHS provided guidance for the protection of mobile devices. Some of the protections that should be considered include:
1. Use a password or other user authentication.
2. Install and enable encryption.
3. Install and activate wiping and/or remote disabling.
4. Disable and do not install file-sharing applications.
5. Install and enable a firewall.