Deadline Approaching to Report Certain HIPAA Breaches to Federal Officials

Baker Donelson
Contact

The HIPAA Breach Notification Rule requires covered entities to notify the Secretary of the Department of Health and Human Services (HHS) if a breach of unsecured protected health information (PHI) is discovered. As most entities are aware, if a covered entity has a breach of unsecured PHI that affects more than 500 individuals in a jurisdiction, a covered entity is required to notify the Secretary contemporaneously with notification to the affected individuals.

If a covered entity has a breach of unsecured PHI that affects fewer than 500 individuals, it is required to notify affected individuals within a reasonable time but no later than 60 days after the breach is discovered. In that situation, the covered entity is also required to notify the Secretary within 60 days of the end of the calendar year (March 1) in which the breach was discovered. The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but a separate notice for each breach incident is required. The notice must be submitted electronically via HHS's website. As covered entities have experienced issues with the website, we strongly discourage them from waiting until the last minute when reporting.

The Office of Civil Rights (OCR) within HHS is charged with civil enforcement of the HIPAA Rules. Pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act amendments to HIPAA, OCR is required to conduct audits to ensure that both covered entities and business associates are complying with HIPAA's requirements. OCR has indicated that it will begin audits of 350 covered entities and 50 business associates in 2015. The audits will focus on the entities' risk analysis and risk management, notice of privacy practices and content and timeliness of breach notification. Given the scrutiny that OCR is placing on breach notification, covered entities need to be diligent in reporting breaches to both affected individuals and HHS.

 

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:

Baker Donelson
Contact
more
less

Baker Donelson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide