Welcome to the third and final post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. In the second post, HIPAA Breach Primer: Part 2—Patient Notification, we outlined requirements and considerations when the rules require patient notification.
This post explores the last step—reporting the breach to the U.S. Department of Health and Human Services (HHS). Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, email@example.com. You may also learn more about our law firm by visiting www.hamillittle.com.
Timing of Report
If the Risk Assessment revealed that a HIPAA breach likely occurred, the next step is to think about what notice is required. In addition to notifying impacted patients, the Covered Entity (or, in some circumstances, Business Associate) must report the breach to the Secretary of HHS. If a breach affects 500 or more individuals, the timing for reporting to HHS is the same as for notifying patients—without unreasonable delay and in no case later than 60 days following a breach.
If a breach affects fewer than 500 individuals, however, the breach need only be reported no later than sixty days after the end of the calendar year in which the breach is discovered. The idea is that a Covered Entity can report smaller breaches at one time at the end of the year. The Covered Entity need not wait until the end of the year to report if it does not wish to. Note, even if more than one breach is reported at the end of the year, each breach incident must be submitted individually.
How to Report
HHS makes reporting breaches simple through the HHS website, available here. A copy of the sample report form is also available on HHS’s website for a Covered Entity to review. The report includes six tabs that must be completed: General, Contact, Breach, Notice of Breach and Actions Taken, Attestation, and Summary. The Breach tab requires identifying the type of breach, the location of breach, the type of PHI involved in the breach, a brief description of the breach, and the safeguards in place prior to the breach. Under the Notice of Breach and Actions Taken tab, the reporter must detail the measures taken to (a) provide notice to affected patients and (b) mitigate against harm. As mentioned in the previous post, it is important to log the notice provided to each affected patient in real time so that those details can be included in the report to HHS.
We hope you have found the HIPAA Breach series useful. If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, firstname.lastname@example.org. You may also learn more about our law firm by visiting www.hamillittle.com.
*Disclaimer: Thoughts shared here do not constitute legal advice.