Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the Office for Civil Rights (“OCR”) on an annual basis. No later than March 1, 2014, covered entities must submit their breaches electronically through OCR’s breach notification web page, which can be found here.
The Breach Notification Rule requires covered entities to notify individuals and OCR of breaches of unsecured PHI that compromise the security or privacy of the PHI, unless an exception applies. Covered entities are required to notify individuals of a breach without unreasonable delay and no later than 60 days following a breach. If a breach affects 500 or more individuals, the covered entity must notify OCR simultaneously with the notification to the individuals. If, however, a breach affects fewer than 500 individuals, the covered entity must notify OCR no later than 60 days after the end of the calendar year in which the breach occurred. For such breaches, covered entities may choose to submit their notifications to OCR throughout the year or at one time, so long as notification is made within the annual deadline.
Compliance with the requirements of the Breach Notification Rule is important. In December 2013, OCR entered into a Resolution Agreement with a physician practice, whereby the practice was required to pay $150,000 for alleged violations of HIPAA, including failing to comply with the requirements of the Breach Notification Rule.
OCR reports that the most common breaches involve the following HIPAA standards, in order of frequency:
- Impermissible uses and disclosures of PHI;
- Lack of safeguards for PHI;
- Lack of patient access to their PHI;
- Uses or disclosures of more than the minimum necessary PHI; and
- Lack of administrative safeguards for electronic PHI.
Practical Takeaway
Now is the time for covered entities to review all HIPAA complaints to determine which incidents are reportable breaches based on the results of the entity’s risk assessment of the incident. Reportable breaches should be submitted to OCR no later than March 1, 2014.
If you need additional information about this topic, please contact Charise R. Frazier at (317) 977-1406 or cfrazier@wp.hallrender.com, Mark J. Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.
