February 2016: The Month of Groundhog Day, Super Bowl 50, Valentine’s Day … and HIPAA Breach Notifications

Rebecca Williams
Davis Wright Tremaine LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Feb. 29, 2016, a/k/a Leap Day, is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2015. A small breach involves fewer than 500 individuals. While HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay (and no later than 60 days after discovery), covered entities must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered—for this year, no later than Feb. 29, 2016.

Business associates of covered entities should not be affected by this deadline, as their reporting obligation is to the covered entity and not to OCR, unless the covered entity has delegated its breach reporting obligations to the business associate.

How to Notify. Covered entities should report each small breach separately online at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf.

OCR has indicated for the last seven years that it plans to provide a means to report multiple small breaches to OCR through a single log or report in the future. As it still has not done so, OCR requires a separate report for each small breach.

Steps to Take for Notifications. In making these notifications, covered entities may consider:

  • Designating a person within the covered entity who will be responsible for the notifications and verifying the person’s availability to make the notifications in a timely manner. There have been situations when the Privacy Officer was vacationing at the time the notifications were due.
  • Reviewing – and printing out – the questions ahead of time. Click here for a Davis Wright document outlining the notification questions on the OCR website.
  • Preparing the contents of the notification in advance. It may be helpful to have legal counsel or other appropriate people review the notifications prior to submitting to OCR.
  • Printing out a “receipt” of the filing or other documentation to demonstrate timely notification to OCR.
  • Verifying that the covered entity has appropriate documentation in place relating to the breach, timely and appropriate notifications, mitigation, and corrective actions.
  • Being prepared - Notifications may spur investigations and compliance reviews from OCR.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Davis Wright Tremaine LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide