OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

BakerHostetler
Contact

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 breach notification reports for incidents affecting fewer than 500 individuals within 60 days of the end of the calendar year, as permitted under 45 C.F.R. § 164.408(c).

While the previous version of the Breach Portal consisted of a single Web page where the user could input the information to be included in the report, the updated Breach Portal utilizes a “Wizard” format in which the user inputs information in successive stages. The Wizard also adapts to the information provided—for example, different information is required if the user indicates it is a business associate filing the report on behalf of a covered entity versus a covered entity filing on its own. The Wizard also includes expanded functionality, such as the ability to add expanded contact information for multiple covered entities or business associates.

But perhaps the most important changes involve the information required in the report. Unlike the previous version of the Breach Portal, a “Breach End Date” and a “Discovery End Date” are no longer optional and must be provided in order to submit the report. The updated Breach Portal also replaces the original options available for selection as “Safeguards in Place Prior to the Breach”—which formerly included 10 somewhat technical options: Firewalls, Packet Filtering (router-based), Secure Browser Sessions, Strong Authentication, Encrypted Wireless, Physical Security, Logical Access Control, Anti-Virus Software, Intrusion Detection, and Biometrics—with the following more general options:

  • None
  • Privacy Rule Safeguards (Training, Policies and Procedures, etc.)
  • Security Rule Administrative Safeguards (Risk Analysis, Risk Management, etc.)
  • Security Rule Physical Safeguards (Facility Access Controls, Workstation Security, etc.)
  • Security Rule Technical Safeguards (Access Controls, Transmission Security, etc.)

The updated Breach Portal also replaced the original options available for selection as “Actions Taken in Response to Breach”—which formerly included Security and/or Privacy Safeguards, Mitigation, Sanctions, Policies and Procedures, and “Other”—with 15 much more detailed options:

  • Adopted encryption technologies
  • Changed password / strengthened password requirements
  • Created a new/updated Security Rule Risk Management Plan
  • Implemented new technical safeguards
  • Implemented periodic technical and nontechnical evaluations
  • Improved physical security
  • Performed a new/updated Security Rule Risk Analysis
  • Provided business associate with additional training on HIPAA requirements
  • Provided individuals with free credit monitoring
  • Revised business associate contracts
  • Revised policies and procedures
  • Sanctioned workforce members involved (including termination)
  • Took steps to mitigate harm
  • Trained or retrained workforce members
  • Other (which, if selected, requires additional narrative explanation)

Given the detail required by the updated Breach Portal, a covered entity’s decision about which of these options to select when submitting a breach report could impact subsequent OCR investigations of reported incidents. These updates could also be viewed as an indication of the types of safeguards and corrective actions OCR expects to see in connection with breach reports.

As the March 2, 2015, 60-day deadline for reporting 2014 breaches affecting fewer than 500 individuals to HHS rapidly approaches, covered entities will need to carefully evaluate their breach report submissions in light of the recent Breach Portal updates. Failure to do so could trigger OCR investigations.

This blog post is a joint submission with BakerHostetler’s Data Privacy Monitor blog.

 

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.