All covered entities must submit annual reports of HIPAA breaches to the U.S Department of Health and Human Services and the deadline for filing 2013 breaches is coming quickly.
While there is a requirement under the Breach Notification Rule for healthcare institutions and their business associates to make HHS aware of any breaches involving more than 500 people as quickly as possible, smaller breaches affecting fewer than 500 people only need to be included in an annual report. HIPAA-covered bodies now only have a few weeks to file the reports, which must be received by the HSS no later than March 1st, 2014.
A PHI breach including less than 500 people must be made known to the HHS within 60 days of the end of the calendar year during which the breach was discovered. Therefore any data breaches discovered during 2013 must now be included in the report to the HHS. In many security breaches it is not instantly clear how many individuals have been affected. If a review is still ongoing, the entity in question should provide an approximation of the number of people affected and once the final number is known it can be filed to the OCR as an addendum at a later date.
The introduction of the HIPAA Omnibus Rule, which came into effect on September 23, 2013, changed how covered organizations must review and report data breaches. Before the passing of the new rule, healthcare organizations were obliged to make a subjective assessment based on the potential damage caused by a breach under the “risk of harm standard”. Now the assessment process is more involved, requiring a 4-factor risk assessment to be completed on any potential security breach involving unencrypted PHI.
In the case of a low probability of disclosure of PHI a breach notification is not required to be issued; however if this cannot be determined with any degree of certainty the incident must be dealt with as full breach. The organization must therefore adhere with breach notification rules and warn those affected to the potential disclosure of their PHI.
What is a 4-Factor HIPAA Breach Risk Assessment?
- Assessment of the “nature and extent” of the breach, the data possibly exposed and any personal identifiers present ion the data.
- Who had access to the PHI and the person or persons to whom PHI has been disclosed?
- Determination of the exact data accessed, acquired or seen as a result of the breach
- Whether any possible loss or damage has been prevented.
Following this assessment a HIPAA covered body should decide whether a breach notification should be sent and whether the incident should be made known immediately to the OCR.