Deadline for 2013 HIPAA Breach Reports Approaching Fast

by Ryan Coyne | Feb 5, 2014

All covered entities must submit annual reports of HIPAA breaches to the U.S Department of Health and Human Services and the deadline for filing 2013 breaches is coming quickly.

While there is a requirement under the Breach Notification Rule for healthcare institutions and their business associates to make HHS aware of any breaches involving more than 500 people as quickly as possible, smaller breaches affecting fewer than 500 people only need to be included in an annual report. HIPAA-covered bodies now only have a few weeks to file the reports, which must be received by the HSS no later than March 1^st, 2014.

A PHI breach including less than 500 people must be made known to the HHS within 60 days of the end of the calendar year during which the breach was discovered. Therefore any data breaches discovered during 2013 must now be included in the report to the HHS. In many security breaches it is not instantly clear how many individuals have been affected. If a review is still ongoing, the entity in question should provide an approximation of the number of people affected and once the final number is known it can be filed to the OCR as an addendum at a later date.

The introduction of the HIPAA Omnibus Rule, which came into effect on September 23, 2013, changed how covered organizations must review and report data breaches. Before the passing of the new rule, healthcare organizations were obliged to make a subjective assessment based on the potential damage caused by a breach under the “risk of harm standard”. Now the assessment process is more involved, requiring a 4-factor risk assessment to be completed on any potential security breach involving unencrypted PHI.

In the case of a low probability of disclosure of PHI a breach notification is not required to be issued; however if this cannot be determined with any degree of certainty the incident must be dealt with as full breach. The organization must therefore adhere with breach notification rules and warn those affected to the potential disclosure of their PHI.

What is a 4-Factor HIPAA Breach Risk Assessment?

Assessment of the “nature and extent” of the breach, the data possibly exposed and any personal identifiers present ion the data.
Who had access to the PHI and the person or persons to whom PHI has been disclosed?
Determination of the exact data accessed, acquired or seen as a result of the breach
Whether any possible loss or damage has been prevented.

Following this assessment a HIPAA covered body should decide whether a breach notification should be sent and whether the incident should be made known immediately to the OCR.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter