The provision of The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule that has generated the most discussion is the elimination of the “risk of harm” standard for breach notification. The breach notification regulations did not change, however the breach notification trigger changed substantially. The Final Rule removed the harm standard and modified the risk assessment to focus more objectively on the risk that the PHI has been compromised. Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate “demonstrates that there is a low probability that the PHI has been compromised.” Breach notification is necessary in all situations except those in which the covered entity demonstrates that there is a low probability that the PHI has been compromised. If PHI is encrypted, and no impermissible use is evident, then no breach notification is required. Failure to comply with the minimum necessary provision may implicate the obligation for a risk assessment and possibly a data breach notification.
So, the top data security question you can ask your radiation oncology billing service is about encryption. Encryption is “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption). The encryption processes identified in this link have been tested by the National Institute of Standards and Technology (NIST) and judged to meet the HIPAA standard.
When the Security Rule was enacted, it was acknowledged that technology advances that may be considered appropriate encryption standards one day, may be inappropriate another. Consequently, HHS does not require that medical billing services adopt a particular technology. The HIPAA encryption requirements are “technology neutral” allowing covered entities and business associates to select the most appropriate solution for their circumstances. Know the standards and ask the hard questions of your radiation oncology billing service. If your PHI is not encrypted, any compromise may trigger a breach notification requirement.