Did your practice experience a breach affecting fewer than 500 individuals in 2014? If so, the deadline for reporting the breach to the U.S. Department of Health and Human Services (HHS) is quickly approaching.
Per the Code of Federal Regulation (CFR), your practice has until March 1, 2015 to file a breach notification with HHS. According to the CFR, if a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify HHS of the breach within 60 days of the end of the calendar year in which the breach was discovered.
A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals and may report such breaches at the time they are discovered. The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically.
It is helpful to gather the requested information before going online to complete the form. Some of the required information that must be provided includes:
- Information on the Covered Entity (name, address, point of contact)
- Information if the breach occurred at the location of a Business Associate or by a Business Associate
- Information on how the breach occurred
- Notice of breach and actions taken
- Attestation that the information provided is accurate
Here is the link to the updated electronic notification form: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
Once the breach notification has been submitted, be prepared for possible follow-up by the Office for Civil Rights (OCR). This is the HHS agency that has audit and enforcement authority for HIPAA compliance. With all the attention OCR has placed on the breach notification process, covered entities need to be diligent in reporting breaches to those affected individuals and to HHS by the respective deadline.
Additionally, if a breach of unsecured protected health information occurs at a Business Associate’s location or by a Business Associate, the Business Associate must notify the covered entity following the discovery of the breach. A Business Associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the Business Associate should provide the covered entity with the identification of each individual affected by the breach, as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
The ultimate goal is to prevent breaches from occurring. If a breach does happen, being decisive, organized and proactive can help move along all the required notification procedures in a systematic manner. Having a solid breach notification policy is a required section in a HIPAA Risk Management Plan. Being prepared ahead of time will help when you are faced with this stressful situation.