I still have concerns about security breaches. How do I know I’m not at risk for HIPAA violations?
CMS made the following provisions in the final rule to ensure payers feel safe exchanging and exposing data via APIs and USCDI data sets:
- A payer may deny a 3rd-party application access to the Patient Access API if the payer reasonably determines that doing so would present an unacceptable level of risk to the security of PHI on the payer’s systems based on objective and verifiable criteria.
- Payers must provide enrollees with resources explaining risk factors, including practical strategies to safeguard their privacy and security, and how to submit complaints to OCR or FTC.
- Payers are NOT responsible for breaches of PHI, nor breach notification requirements, when the breach of PHI is caused by a third party or by the patient to whom the PHI has been released by the Payer. The rule also clarifies that privacy issues outside the scope of HIPAA are governed by the FTC under section 5 of the FTC Act (15 U.S.C. Sec. 45(a)) and the FTC Health Breach Notification Rule.
Payers are encouraged to review the OCR website
for resources on the individual access standard to ensure they understand their responsibilities.