Start spreading the news...it’s nearing time for HIPAA Breach Reporting! As a reminder HIPAA requires covered entities to provide notification of a breach of unsecured protected heath information. If you’re wondering whether you’re a covered entity, it’s simple if you operate a medical practice (and based on your subscription to this newsletter) you likely are!
The Department of Health and Human Services (“HHS”) provides two disclosure procedures based on the number of individuals impacted by the breach. If the breach affected 500 or more individuals then the covered entity has 60 days from the date of discovery of the breach to submit a Notice of Breach with the HHS Secretary electronically here: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
If any breach affected fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered the covered entity must notify the HHS Secretary electronically here: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true. For reporting fewer than 500 breaches, the covered entity may report all the breaches at once, but must then ensure to complete a separate breach notice for each individual affected. Covered entities do not necessarily have to wait until the end of the calendar year to report this kind of breach, they can also report at the time they discovered the breach.
While the reporting process is fairly simple and self-explanatory, the reporting itself is setting the stage for the inevitable government follow-up / audit that will be subsequent. Questions on the report you should be prepared to answer are:
The Department of Health and Human Services (“HHS”) provides two disclosure procedures based on the number of individuals impacted by the breach. If the breach affected 500 or more individuals then the covered entity has 60 days from the date of discovery of the breach to submit a Notice of Breach with the HHS Secretary electronically here: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
If any breach affected fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered the covered entity must notify the HHS Secretary electronically here: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true. For reporting fewer than 500 breaches, the covered entity may report all the breaches at once, but must then ensure to complete a separate breach notice for each individual affected. Covered entities do not necessarily have to wait until the end of the calendar year to report this kind of breach, they can also report at the time they discovered the breach.
While the reporting process is fairly simple and self-explanatory, the reporting itself is setting the stage for the inevitable government follow-up / audit that will be subsequent. Questions on the report you should be prepared to answer are:
- Name, address, and entity point of contact information. If you are filing on behalf of a business associate you will also need the name, address, and point of contact information for the business associate.
- How many individuals the breach affected; breach start and end date; breach discovery start and end date; approximate number of individuals affected; type of breach; location of breach; type of protected health information; description of breach (4,000 word count) and safeguards in place prior to breach.
- Individual notice start and end date; whether substitute notice was required; whether media notice was required; and actions taken in response to breach.
Most practices have a few incidents to report from the preceding year; incorrect patient information remitted to a patient, accidental release to the wrong email, for instance. Ransomware attack. Unauthorized employee access. Now, of course, not all of the preceding scenarios give rise to a "breach". The Practice, and or, the Practice's counsel, may have determined an unauthorized disclosure did not amount to a breach. Perhaps the unauthorized disclosure was as simple as sending the wrong patient chart to a referring provider, in which case, while an unauthorized/unintended disclosure, likely, not a breach and, therefore, not reportable. Where an unauthorized disclosure is not mitigated or cannot be mitigated, a reporting obligation likely exists. Your breach reporting sets the stage for any further government inquiry/assessment of breach and will set the tone of any resolution to be presented with the government. Let's put a best foot forward with a properly considered initial report...
Let Jennifer know if you have questions on breach reporting or require assistance with assessments of any unauthorized disclosures. You can reach Jennifer best by email: Jennifer@kirschenbaumesq.com.
Let Jennifer know if you have questions on breach reporting or require assistance with assessments of any unauthorized disclosures. You can reach Jennifer best by email: Jennifer@kirschenbaumesq.com.
