In early 2014, HCPro’s Medical Records Briefing (MRB) newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, 2013 implementation date. This year, MRB asked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.
With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% from 2014 to 2015.
However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase. Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.
The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches. The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.
This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Similar to 2014, nearly half of this year’s respondents (49%) serve as the privacy officers for their organizations compared to 50% in 2014, while just 33% reported being privacy officers prior to the Omnibus Rule implementation in early 2013. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the 2015 survey also serve as the privacy officer.