Did your organization experience a HIPAA breach involving fewer than 500 individuals in 2015? If so, remember to submit your mandatory report to the Secretary of HHS no later than February 29, 2016, through the online breach portal.
The HIPAA Breach Notification Rule, requires Covered Entities to make certain notifications following a "breach" of unsecured protected health information ("PHI"). A use or disclosure of unsecure PHI that is not permitted under HIPAA is presumed to be a breach unless a risk assessment demonstrates there is a low probability that the PHI has been compromised. Under this definition, a wide range of impermissible uses and disclosures can constitute a breach, including inappropriate access of medical records by employees or lost/stolen electronic devices containing unencrypted PHI. A breach can also include more common mistakes, such as accidentally providing a patient with discharge paperwork concerning another patient or misdirecting a fax by transposing numerals when dialing. In addition to notification of the individuals involved, breaches must be reported to the Secretary of HHS. A breach affecting 500 or more individuals must be reported to the Secretary without unreasonable delay and no later than 60 calendar days from discovery of the breach. Breaches affecting fewer than 500 individuals must be reported on an annual basis within 60 days of the end of the calendar year in which the breach was discovered. Although these reports can be made throughout the year, a Covered Entity may choose to report all of its breaches at one time, after the close of the calendar year. Breaches affecting fewer than 500 individuals are reported by completing an electronic form on the "Breach Portal" website.
Are you ready to complete your annual Breach report? Gather your breach notification log and any supporting documentation you may need. Be prepared to provide information such as the date(s) of the breach, date of discovery, number of individuals affected, type of PHI involved, dates individual notice was provided, and brief descriptions of the breach, safeguards in place prior to the breach, and your response to the breach. Even if you file all your reports on the same day, you will need to file a separate report for each breach. Make sure to leave yourself adequate time! Click here to access the HHS Breach Portal.