Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the Office for Civil Rights (“OCR”) on an annual basis. Covered entities must submit their breaches electronically through OCR’s breach notification web page, which can be found here, no later than March 1, 2017.
The Breach Notification Rule requires covered entities to notify individuals and OCR of breaches of unsecured PHI, which means an impermissible disclosure or use, that compromise the security or privacy of the PHI, unless an exception applies. Covered entities are required to notify individuals of a breach without unreasonable delay and no later than 60 days following a breach. If a breach affects 500 or more individuals, the covered entity must notify OCR at the same time they notify the individuals. If, however, a breach affects fewer than 500 individuals, the covered entity must notify OCR no later than 60 days after the end of the calendar year in which the breach occurred. For such breaches, covered entities may choose to submit their notifications to OCR throughout the year or at one time, so long as notification is made within the annual deadline.
Compliance with the requirements of the Breach Notification Rule is important. In January of this year, OCR announced a $475,000 settlement with a covered entity due in part to over a month-long delay of the 60-day notification deadline in notifying affected individuals.
In December of 2016, OCR reported that the following HIPAA standards are the most commonly breached:
- Impermissible uses and disclosures of PHI;
- Lack of safeguards for PHI;
- Lack of patient access to their PHI;
- Use or disclosure of more than the minimum necessary PHI; and
- Lack of administrative safeguards for electronic PHI.
Additionally, private practices and general hospitals were found to be required to take corrective action or achieve voluntary compliance most frequently. As of December 2016, 596 cases were referred to the Department of Justice for criminal investigation. OCR also reported that the cumulative amount of civil money penalties imposed on entities since 2003 is $48,679,700.
Practical Takeaway
Now is the time for covered entities to review all HIPAA complaints from 2016 to determine which incidents are reportable breaches based on the results of the entity’s risk assessment of the incident. Reportable breaches affecting fewer than 500 must be reported to OCR no later than March 1, 2017.
If you need additional information about this topic, please contact:
- Charise R. Frazier at (317) 977-1461 or cfrazier@wp.hallrender.com; or
- Patricia E. Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your regular Hall Render attorney.
