Assessing Whether to Report a BreachDeven McGraw of Center for Democracy & Technology
The new HIPAA Omnibus Rule contains detailed guidance on how to determine whether a breach must be reported, consumer advocate Deven McGraw explains.
In an interview, McGraw, who chairs a privacy and security panel that advises federal regulators:
- Outlines how the new guidance is different from the original "harm standard" for breach reporting;
- Describes the documentation that's now required;
- Explains why she believes the new breach notification guidance is good news for consumers.
McGraw is director of the health privacy project at the Center for Democracy & Technology, where she focuses on developing and promoting policies that ensure individual privacy is maintained as personal health information is electronically shared. She serves on the Health Information Technology Policy Committee, which advises federal regulators, and chairs its Privacy and Security Tiger Team.