I remember reading I have to disclose breaches. Can you remind me what a breach is, what is not a breach and what I have to disclose and when?
Sure, this is an easy one... A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the protected health information or to whom the disclosure was made;
• Whether the protected health information was actually acquired or viewed; and
• The extent to which the risk to the protected health information has been mitigated.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report. Please review the instructions below for submitting breach notifications. https://www.hhs.gov/hipaa/for-professionals/faq/2040/what-is-a-covered-entitys-obligation-under/index.html
Breaches Affecting 500 or More Individuals -If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically by clicking on the link below and completing all of the required fields of the breach notification form.
Breaches Affecting Fewer than 500 Individuals-If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form. https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
If you have not adopted a breach notification policy yet for the practice, we do recommend you do so. We are happy to help with a customizable policy, which we offer as part of our compliance package, here. http://kirschenbaumesq.com/page/practice-compliance.
If you have any questions on the breach notification requirements and whether you are required to complete the forms or not you can contact Michael Foster directly at MFoster@kirschenbaumesq.com or Jennifer directly at Jennifer@Kirschenbaumesq.com.