As the end of the year approaches, keep in mind that all breaches of unsecured protected health information involving less than 500 individuals must be reported to the Secretary at the Department of Health and Human Services (HHS) within 60 days of the end of the calendar year. If the organization already reported a breach of less than 500, this deadline does not require another report for that particular breach.   However, each breach incident should be reported separately, either at the time of discovery or within the 60- day window at the end of calendar year.

Each breach should be reported to the HHS Office of Civil Rights through the breach portal. The report is made by the covered entity filing for their organization or on behalf of a business associate or by the business associate filing on behalf of a covered entity.  In addition to the organization’s information the following information is required:

  • Dates of the breach
  • Dates of discovery
  • Number of individuals affected
  • Type of breach (Hacking/IT, Improper Disposal, Loss, Theft, Unauthorized Access/Disclosure
  • Location of Breach (Desktop Computer, EMR, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films)
  • Type of PHI (Clinical, Demographic, Financial)
  • Privacy and Security Rule Safeguards in Place Prior to Breach (Training, Policies and Procedures, Risk Analysis, Risk Management, Facility Access Controls, Workstation Security, Access Controls and Transmission Security
  • Dates of Individual, Media or Other Notices
  • Actions Taken In Response to Breach (Adopted Encryption, Password Protection Strengthened, Security Rule Risk Management Plan updated and Risk Analysis, New Technical Safeguards and Evaluations, Improved Physical Security, Free Credit Monitoring, Revised BA contracts and provided training on HIPAA, Revised Policy and Procedures, Retrained Workforce Members, Sanctioned Workforce Members, Steps to Mitigate Harm)

Fortunately, there are exceptions to what is considered a breach. Exclusions include but are not limited to the unintentional acquisition, access or use of PHI by a workforce member or business associate, if done in good faith and within normal scope of their authority or the inadvertent disclosure of PHI by one authorized individual to another authorized individual, if in either situation no further use or disclosure occurs. Prior to reporting a breach and potentially prompting an audit or investigation, consider consulting a healthcare attorney to determine if this is in fact a true breach.