b'Under the HIPAA Omnibus Rule, security incidents are presumed to be reportable data breaches unless healthcare organizations demonstrate through a four-factor assessment that risks are low, explains privacy expert Kate Borten.'