Reminder of Annual HIPAA Breach Reporting
By March 1st, HIPAA-covered entities and their business associates are required annually to notify the Office for Civil Rights (OCR) of breaches for unsecured protected health information (PHI) that affected under 500 individuals.
In the past year, has your organization had any HIPAA breaches? A “breach” is defined as an impermissible use or disclosure under the Privacy rule that compromises the security or privacy of PHI. An impermissible use or disclosure is presumed to be a breach unless there is a low probability that the PHI has been compromised. Remember, PHI is defined as “individually identifiable health information” stored or transmitted by a covered entity.
HIPAA breaches of health information are categorized into two class codes by the OCR;
- Over 500 individual records
- Under 500 individual records
- Breaches must be logged by the covered entity throughout the calendar year and reported to the OCR on an annual basis by no later than March 1st
Before you are required to report any potential breaches, you must follow your internal breach notification process. Learn more about that process in: Identifying Reportable HIPAA Breaches
When to report a HIPAA breach
Following a HIPAA breach, notification must be made in writing to the affected individual without unreasonable delay, and no later than 60 days post discovery. Breaches that involve 500+ individual records also require a notice to OCR and media outlets without unreasonable delay, and no later than 60 days via the HHS website.
Before reporting, however, a risk assessment should be performed to determine if the impermissible disclosure is actually considered a HIPAA breach. The presumption of a breach can be overcome by demonstrating there is a low probability that the PHI has been compromised based on the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
There are three exceptions to the definition of a HIPAA breach:
- The PHI was unintentionally acquired or accessed in good faith by an employee working in the scope of their role and authority;
- The PHI was inadvertently disclosed by a person authorized by the covered entity to access PHI to another authorized person at the covered entity, or organized health care arrangement in which the covered entity participates. The PHI in this case was not further used or disclosed; or
- The covered entity has a good faith belief that the unauthorized person who received the PHI would not have been able to retain the information.
*In addition to federal requirements, providers are encouraged to take note of particular breach obligations under applicable state law.