Reminder of Annual HIPAA Breach Reporting
By March 1st, HIPAA-covered entities and their business associates are required annually to notify the Office for Civil Rights (OCR) of breaches for unsecured protected health information (PHI) that affected under 500 individuals. Failure to comply with HIPAA Rules, which include notification requirements, may result in civil and criminal penalties.
In the past year, has your organization had any HIPAA breaches? A “breach” is defined as an impermissible use or disclosure under the Privacy rule that compromises the security or privacy of PHI. An impermissible use or disclosure is presumed to be a breach unless there is a low probability that the PHI has been compromised. Remember, PHI is defined as “individually identifiable health information” stored or transmitted by a covered entity.
Common causes of privacy incidents in healthcare:
- Stolen or lost electronic devices
- Unauthorized access on Electronic Health Records
- Downloading or sharing PHI on unauthorized devices, such as texting on a personal phone
- Cybercrime – Malware or ransomware attack
- Business Associate breach of information
- Faxing or emailing PHI to the wrong contact
- Improper disposal of PHI
- Social media posts
HIPAA breaches of health information are categorized into two class codes by the OCR:
- Over 500 individual records
- Under 500 individual records
- Breaches must be logged by the covered entity throughout the calendar year and reported to the OCR on an annual basis by no later than March 1st.
Before you are required to report any potential breaches, you must follow your internal breach notification process. Learn more about that process in: Identifying Reportable HIPAA Breaches
Following a HIPAA breach, notification must be made in writing to the affected individual without unreasonable delay, and no later than 60 days post discovery. Breaches that involve 500+ individual records also require a notice to OCR and media outlets without unreasonable delay, and no later than 60 days via the HHS website.
Before reporting, however, a risk assessment should be performed to determine if the impermissible disclosure is actually considered a HIPAA breach. The presumption of a breach can be overcome by demonstrating there is a low probability that the PHI has been compromised based on the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
There are three exceptions to the definition of a HIPAA breach:
- The PHI was unintentionally acquired or accessed in good faith by an employee working in the scope of their role and authority;
- The PHI was inadvertently disclosed by a person authorized by the covered entity to access PHI to another authorized person at the covered entity, or organized health care arrangement in which the covered entity participates. The PHI in this case was not further used or disclosed; or
- The covered entity has a good faith belief that the unauthorized person who received the PHI would not have been able to retain the information.
*In addition to federal requirements, providers are encouraged to take note of particular breach obligations under applicable state law.