HIPAA Breach Notification Goes Live: Providers May Now Report Breaches to DHHS Via Online Form
Health Law Update 10/06/09 Sarah E. Coyne, Kevin J. Eldridge
We know you've been waiting with bated breath for this - covered entities, you may now report breaches of unsecured protected health information ("PHI") to the Department of Health and Human Services ("DHHS") via an online form on the DHHS website. As we discussed in our August Health Law Update, A HIPAA Breach Notification Handbook, covered entities that experience a breach of their patients' unsecured PHI are required under HIPAA to notify individuals and DHHS, and under some circumstances the media, about the breach.
As of October 2, covered entities may submit required notifications to DHHS through a form available on the Office for Civil Rights ("OCR") website. The form is accessible here. In this update, we'll review the DHHS breach notification requirements, consider when covered entities should notify DHHS of any breaches, walk you through key parts of the notification form and discuss when covered entities should begin notifying DHHS of breaches.
Recap of DHHS Breach Notification Requirements:
First, we'll quickly recap for you the requirements for notifying DHHS of breaches (but you should still re-read our August update because it goes into more detail - and because it makes for a fascinating read!). If a covered entity experiences a breach of unsecured PHI involving 500 or more individuals, it must notify DHHS at the same time it notifies individuals of the breach (i.e., at the very latest, within 60 days of discovering breach). On the other hand, for breaches involving fewer than 500 individuals, the covered entity must maintain a log or other documentation of the breaches throughout the year and notify DHHS of all such breaches within 60 days after the start of the next calendar year. (For those of you who are calendar-challenged, that means by about the end of February every year.)
When to Provide Notice for Breaches Involving Fewer than 500 individuals:
Yes, we know that we just told you to notify DHHS by the end of February of breaches involving fewer than 500 individuals during the prior year. However, if a covered entity experiences more than a few such breaches every year, consider providing the DHHS notification earlier than the February deadline.
Why? Because covered entities must individually report every breach involving fewer than 500 individuals. That means if you experienced, for example, 50 such breaches during the prior calendar year, your privacy officer could be spending the last few days each February filling out DHHS forms. Nothing prohibits covered entities from reporting breaches earlier than the end of February.
However, even if you choose to notify DHHS well before the end of February, you still must separately log or document the individual breaches. Why? Because DHHS says so.
The Notification Form:
All right, on to the fun stuff (yes, this is what passes for fun for lawyers). To make a report of either type of breach, covered entities will use the same form available on the OCR website. The form is fairly straightforward, so we won't take you step-by-step through all of its parts, but we will focus on a couple of key sections.
The sections of the form are as follows: covered entity information; business associate information, if breach occurred at or by business associate; breach description; notice of breach and actions taken and attestation. The breach description and notice of breach and actions taken sections will be the most important sections. We will discuss each in turn.
In the Breach section of the form, covered entities must describe:
- Type of breach: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other and/or unknown.
- Location of breached information: laptop, desktop computer, network server, E-mail, other portable electronic device, electronic medical record, paper and/or other.
- Type of PHI involved in the breach: demographic information, financial information, clinical information, and/or other.
- Safeguards in place prior to the breach: firewalls, packet filtering (router-based), secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, anti-virus software, intrusion detection, and/or biometrics.
- Brief description of the breach: location of the breach; description of how the breach occurred; any additional information regarding the type of breach, type of media, and type of PHI involved in the breach.
In the Notice of Breach and Actions Taken section, covered entities must indicate:
- The date of individual notice.
- Whether substitute notice was required (i.e., notice by other than U.S. mail or to the media in lieu of individuals-see our August update for further information).
- Whether notice to the media was required; notice to the media is required when the breach involved more than 500 individuals in a state.
- The actions taken in response to the breach: security and/or privacy safeguards, mitigation, sanctions, policies and procedures and/or other actions taken. Covered entities must describe these actions in detail.
These parts of the form should be carefully planned out in advance and covered entities may consider involving counsel in drafting these sections. If a breach was not caused by a covered entity's HIPAA violation, the covered entity should explain why. If the breach was caused by the covered entity's HIPAA violation, it will want to carefully describe the circumstances of the breach and show that it undertook a strong and thorough response to prevent similar breaches in the future.
When to Start Logging Breaches: Now.
The DHHS breach notification regulations were effective on September 23, 2009, but DHHS has said it will not begin to impose sanctions for failures to provide notification of breaches that occur before February 22, 2010.
However, it appears that DHHS could sanction covered entities and business associates for failing to track breaches that occur on or after September 23 and that involve fewer than 500 individuals. DHHS expects covered entities to report all such breaches by March 1, 2010; covered entities and business associates must have the infrastructure in place now to start tracking those breaches and report them by March.
* * *