HIPAA covered entities are required to submit reports of small breaches (impacting less than 500 individuals) that occurred during calendar year 2011 to the Office for Civil Rights (“OCR”) by February 29, 2012 pursuant to the HIPAA Breach Notification Rule. Reports must be submitted electronically through OCR’s breach notification web page, which can be found by clicking here.
Small breaches may be reported to OCR throughout the year, or by this date.
The Breach Notification Rule requires covered entities to issue notifications of breaches of unsecured protected health information (“PHI”) that compromise the security or privacy of the PHI, unless an exception applies. “Compromises the security or privacy” of the PHI means a HIPAA Privacy Rule violation that poses a “significant risk of financial, reputational, or other harm to the individual.”
HIPAA covered entities include health care providers, health care clearinghouses and health plans, such as HMOs and employer-sponsored group health plans. Business associates are required to issue breach notifications to their covered entities.
Covered entities are required to notify individuals of breaches without unreasonable delay and in no case later than 60 days following the breach. This is true regardless of how many individuals were affected by the breach. In all cases where notification is provided to individuals, covered entities are required to also report those breaches to OCR. For small breaches – those affecting fewer than 500 individuals – reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches occurred. For this year, the deadline is Leap Year Day, February 29, 2012, for last year’s small breaches. For large breaches – those affecting 500 or more individuals – notifications must be reported to OCR contemporaneously with the notice to the individuals.
The breach report to OCR must contain the following information:
- Covered entity’s contact information (and business associate contact information if applicable);
- A brief description of the breach, including the number of individuals affected, the date of the breach, the date of discovery and the types of PHI involved;
- The safeguards in place prior to the breach;
- The date the individual(s) were notified and whether substitute notice and/or media notice were required; and
- Actions taken in response to the breach.
Hall Render’s HIPAA Impact Series provides in-depth analysis of HIPAA issues and developments.
If you need additional information about this topic, please contact:
- Elizabeth Callahan-Morris at (248) 457-7854 or ecallahan@wp.hallrender.com;
- Mark J. Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com; or
- Your regular Hall Render attorney.
