The U.S. Department of Health & Human Services requires covered entities to report all breaches of unsecured protected health information.
First, you need to determine if you are a covered entity, subject to this requirement. A covered entity is a health care provider (including all doctors, dentists and chiropractors) who transmits any information electronically in connection with certain transactions. Most healthcare providers will be classified as a covered entity, but if you are unsure, give us a call. If you are not a covered entity, but you or your organization perform services for a covered entity that involves protected health information, you are likely a business associate and subject to certain notification requirements as well. Business associates must notify the covered entity “without unreasonable delay and no later than 60 days from the discovery of the breach” and provide the covered entity with all information relevant to the breach so that the covered entity may file their reports with the U.S. Department of Health & Human Services.
Second, you need to determine if you have any reportable breaches. Generally, a breach is an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Not sure if something constitutes a breach? Consult your Breach Notification Policy (https://www.kirschenbaumesq.com/page/practice-compliance
) and/or contact Erica
to discuss. You may require assistance with a breach analysis regardless, so never hurts to run a scenario by us - Remember: consults are free for all listserv members.
Finally, if you determine that you are a covered entity and you have reportable breaches, then you must submit one report for each breach that has occurred. For breaches affecting more than 500 individuals, the covered entity must file a report “without unreasonable delay and in no case later than 60 days following a breach.” For breaches affecting fewer than 500 individuals, a report must be made within 60 days of the end of the calendar year in which the breaches were discovered, which is rapidly approaching. Do not wait until the last minute. While the report itself is not long, the content you are providing is extremely important as this is your opportunity to explain what happened and what actions were taken by your practice to rectify the situation and prevent the breach from occurring in the future. Some of the questions on the report that you should be prepared to answer include:
- contact information for the practice and for a business associate if the breach occurred at or by the business associate;
- dates the breach started, ended and was discovered;
- number of inidivulas affected by the breach;
- type and location of breach;
- type of protected health information involved (ex: name, address, social security);
- **description of the breach;
- safeguards in place prior to the breach;
- dates notice of breach given;
- **actions taken in response to breach.
The link to electronically submit a report (one per breach) is https://ocrnotifications.hhs.gov/
For more information regarding the annual report, please see OCR’S website available here (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
Have questions or need assistance with reporting? Contact Jennifer
at 516 747 6700 x. 302,Jennifer@Kirschenbaumesq.com
at 516 747 6700 x. 308,EYoungerman@Kirschenbaumesq.com