The deadline for making security breaches, affecting less than 500 people, from 2014 known is coming in the next three weeks.
Any healthcare supplier or other covered entity that has not filed all 2014 breach reports must ensure they have all beensubmitted – and are updated – via the HHS website portal by the March 2, 2015 deadline.
All organizations made provision for in the Health Insurance Portability and Accountability Act must report breaches affecting more than 500 individuals within 60 days of the identification of the breach according to HIPAA Breach Notification Rules. The Office for Civil Rights must be alerted, while all individuals affected by the breach also need to be advised to allow them to take the necessary steps to mitigate any damage caused.
Covered entities are also obliged to report breaches affecting fewer than 500 people to the Department of Health and Human Services, although the breach reports only need to be filed once per year. A failure to file a breach report – or submitting inaccurate breach reports – is a violation of the HIPAA Breach Notification Rule, and could see the OCR issue a penalty for non-compliance or may trigger a full HIPAA compliance audit.
Recent alterations to the HHS breach reporting portal included a change to the format – a new wizard has been established – and changes to the information which must be supplied to the OCR about data breaches. More detailed information must be submitted covering the steps that have been taken in response to breaches. The change of system so close to the reporting deadline may place some healthcare providers under stress if they do not have all the required information in their breach logs.
Now is the perfect time to put policies in place covering future breach reports and to implement the recent changes to the breach reporting portal into procedures. The HHS does not state when small breach reports should be made – other than giving an annual deadline – but a good best practice to follow is to file breach reports as soon as the preliminary investigations have been finished.
Further information can be later added as addenda – such as the actions taken to address security weaknesses identified by the breach. A final check of filed breach reports can then take place as the deadline looms. This ensures all information needed by the OCR is obtained and provided at a time when it is easiest to gather.
The amendments to the web portal should serve as a timely reminder to HIPAA-covered organizations that the OCR is reviewing closely all data breaches, not just those affecting thousands of people. The additional information required for small breach reports suggests they are now being examined and that the OCR is looking closely at risk management policies that have been implemented in response to breaches to address all security weaknesses that they uncover.