Have a Breach? Reporting Requirements with the OCR

1st Talk Compliance features guest Trey Scott, Coordinating Attorney at Kennedy, Attorneys & Counselors at Law, on the topic of “Have a Breach? Reporting Requirements with the OCR.”Trey joins our host, Catherine Short to discuss the reporting requirements for a data breach of a healthcare provider, the definition of a breach, different timelines for reporting breaches, as well as how to complete a breach reporting form from the Office of Civil Rights.



Catherine Short:  0:01

Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.

On today’s episode, we are speaking with Trey Scott, Coordinating Attorney at Kennedy Attorneys and Counselors at Law on the topic of “Have a breach? Reporting requirements with the OCR.” We will discuss the reporting requirements for a data breach of a health care provider, learn about the definition of a breach, understand the different timelines for reporting breaches, as well as how to complete a breach reporting form from the Office of Civil Rights.

Before we begin, I would like to mention at First Healthcare Compliance, we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our compliance Super Ninja recognition.For this episode, we’re spotlighting Super Ninja, Gail Little-Osberg, Practice Manager at Attachment and Trauma Center of Nebraska. Gail says what she enjoys most about working there is the variety of taking care of a practice, working with a great team of therapists and of course, staying up to date on HIPAA and compliance. Congratulations Gail, our team is honored to have the privilege of working with you.

So, thank you, Trey, for joining me on 1st Talk Compliance. It’s a pleasure to have you on.


Trey Scott  2:10

Yes, thank you glad to be here. Glad to talk compliance to your listeners.


Catherine Short  2:16

Great. Do you think you could give us a little bit of an overview of what we’re going to be talking about and discussing on today’s program.


Trey Scott  2:28

So what we’re talking about here is we’re talking about reporting to the OCR (Office of Civil Rights) whenever there is a breach. Whenever you have a breach, regulations require you to do certain things. If a breach involves more than 500 individuals, you need to report that to the Office of Civil Rights, within 60 days of date of discovery of the breach. You also have certain things you need to do as far as notification of individuals, notification to the media but that’s that’s not really what I want to talk about here. If you have a breach that is less than 500 individuals or less, it ends up being 60 days from the beginning of the new year. If you have a breach that occurs in September, you have until 60 days from the beginning of the new year to report to the secretary now you’re probably wondering, well, this notification, I need to notify the secretary. How do I go about doing that? Well, the Secretary has made it really easy to report. What you do is you go to the HHS Office of Civil Rights. And they have a really, really nice web portal that allows you to report a breach. It asks you a bunch of questions that you answer as you go through. A lot of them are you a covered entity reporting a breach on behalf of yourself? Are you a business associate that has experienced a breach and you are reporting on behalf of a covered entity? Or are you a covered entity reporting on behalf of a business associate who has had a breach? You select those and you go through, you enter contact information for whatever the three options you selected. Then it will start asking you about the breach. It’ll ask you what safeguards you had in place, what information was breached, when the breach occurred, what the discovery date was.


The discovery date is when you found out about the breach because there are instances where a breach might occur due to a hack early in the year, and you just don’t discover it for whatever reason until the middle of the year. Well, the date you discovered the breach, that’s the discovery date and it’s when you knew or should have known about the breach. Then the portal questions will ask about the details of the breach, what happened, whether it was an inappropriate disposal of medical records, for example, whether it was the loss of a laptop, whether it was hacked, and then it will ask more details about it and you’ll be able to provide that underneath. Then it will ask what you’ve done following the breach. Have you notified the individuals? Did you have to notify the media? What other additional training have you done? Things of that nature. It’ll go through, and it will ask all of those questions. Finally, the breach portal will ask for an attestation to essentially say that everything you’ve reported here is accurate to the best of your knowledge, you’re not lying about anything, you’re not lying about the breach date, you’re not lying about notifying individuals, you’re not lying about when the discovery date occurred to give yourself more time.


Based on information provided, if it’s larger than 500 individuals, then the Secretary will take that information and post it to their website with the list of offenders who have had large breaches, if you go there, you’ll see breaches in the million, because for example, a Florida Health Plan got hacked and I think you will see there 3.5 million or 35 million individuals were affected. So if it’s over 500, you end up on that list, unfortunately. That’s really the process of reporting to the secretary in a nutshell.


Catherine Short  7:39

Okay, so we had talked about Civil Monetary Penalties existing. What about criminal penalties? I know you had talked about willful neglect, or you mentioned it, so I assumed that would go under criminal penalties. Could you explain that maybe a little bit more?


Trey Scott  7:56

Yes, I can. So whenever the Office of Civil Rights receive all of these breach notifications, if they rise to a level, then the Office of Civil Rights will actually conduct their own investigation. And through the process of their own investigation, if they do, in fact determine willful neglect or neglect that have not been corrected, there is the possibility that they can refer these breaches to the Department of Justice, and they can in fact, pursue criminal actions against the healthcare provider. So yes, it is very possible that a breach could result in criminal penalties if the investigation by OCR shows that.


Catherine Short  8:55

Okay, all right. How about an addendum? How long do you have to file an addendum if that’s what you choose?


Trey Scott  9:04

I don’t believe there is actually a deadline for when an addendum runs out. What you really need to do is ultimately determine if it’s still part of the same breach that you have already reported, or if it is, in fact, a new breach. So that’s really the key with an addendum. Most of the time, an addendum is used for things like including additional training that your team may have undergone, adding more patients to the total number, if it gets it from the below 500 to over 500 mark. That would be what an addendum is used for. If it was a hacked initially, and you reported that, but you also end up discovering that somehow your email was also hacked as part of that. That’s really what an addendum is for. There really isn’t a timeframe for how long you have to add to an addendum, but you just need to make sure it is still part of the same initial breach and isn’t a new breach.


Catherine Short  10:29

Could you expand on that a little bit? At what point would you consider it a new breach and not an addendum? Where’s that line?


Trey Scott  10:38

The line to me is, if it involves the same incident, if it is a situation where, for example, going back to the email and the hack, if your team can determine that that was all part of one incident, then you can add it to an addendum. But if you have a situation where, for example, a hack occurred on March 3, and you didn’t discover it until April 3, but then during your investigation, related to the March 3 hack, you find out there was another hack in between, that would be a separate incident. That wouldn’t be part of the same breach even though you may have discovered it around about the same time as the first breach. That would be completely separate and you would need to do a new breach notification and not just an addendum.


Catherine Short: 11:41

So if you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Trey Scott, Coordinating Attorney at Kennedy Attorneys and Counselors at Law on the topic of “Have a breach? Reporting requirements with the OCR.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also find us on all other social media.

How about recommendations to avoiding a breach? What do you recommend?


Trey Scott  12:30

Most breaches occur due to poorly trained employees and employee carelessness. So my recommendation to avoid a breach is to make sure that your employees are trained on record security, are trained on not clicking email links that you’ve received, are trained on making sure to not save passwords and EHRs, not save passwords for laptops, make sure you have procedures in place to routinely change access codes for EMRs and building codes. Doing that and making sure it limits the risk of the employee inadvertently disclosing or inadvertently allowing unauthorized access. That’s my main recommendation. Make sure your employees are as trained as possible, because I know hacks, sounds scary and everything and they’re the ones that get the news, whether it’s for example, hacking, a large health plan or whether it’s hacking, even target has been hacked in the past. Those end up getting news because of how many people are affected but the reality is, hacking is more rare whenever it comes to the breaches, than you would necessarily think. A lot of the breaches that we have dealt with involve carelessness, inadvertent disclosures by employees. So make sure your employees are trained, make sure you have a good compliance program in place and that should limit a lot of the risk.


Catherine Short  14:45

Right? And even with training, you have to have it as second nature. You get these phishing, either phone calls or emails sometimes, first thing in the morning.


Trey Scott  14:57

Right. Example, we had is a client received a document from an email address that they thought was a patient of theirs. If you looked at the actual email address, it was nowhere near anything close to what the patient’s email address was but if you looked at the email display name, it was the patient’s name. The provider clicked on the document and by doing that, they allowed a virus and to get into their system. That ended up being a breach that was completely avoidable by just taking a few seconds to realize, to check the actual email address against what they have on file. It does take a additional step, but making sure your staff is trained to do things like that, or making sure yourself, you’re trained to take those additional steps can prevent a can prevent a breach.


Catherine Short  16:11

Right? It’s funny the other day, I had a phone call, and I often screen my calls, you get so many commercial calls, etc. But it said the name of a famous bank calling me and even though I didn’t have a credit card with them, I thought hmm, I wonder why they’re calling me. I answered the phone and what was funny was, so this was the first odd thing. They said, we’re calling from your cell phone company from the fraud department, and I thought, well, that’s odd. I wonder why it says the name of this famous bank on the name coming in from the call. They said, well, we’re calling from such and such phone from your phone company, we’re going to have to shut your phone down, etc. because there’s been some kind of breach or whatever. I was thinking, well, that’s weird. I go into my account fairly often and I can see what’s going on. In fact, I can go into my account right now and look. I said, Well, why does it say bank of such and such on the phone call? And they said, Well, we’re calling from the fraud department. And I said, Well, really? I said, Why doesn’t it say such and such phone company? And I kept asking them that and then they hung up the phone. So obviously,  this was some kind of fraud kind of phishing type of thing. I’m sure they wanted me to give them account information, all this kind of stuff.


Trey Scott  17:35



Catherine Short  17:36

It was really bewildering, because when the phone call came in, it looked like some kind of legitimate type of call. Only two things that were really odd were, number one, I don’t have an account or a credit card at this bank, and why would this bank be associated with this phone company? Those two things were just really odd, but they’re very widely used.


Trey Scott  18:01

Right. That’s why it’s important to make sure you’re checking things like that. Essentially, your first line of defense against breaches are your employees. You need to make sure they are aware of these attempts, like you just described and make sure they’re extra diligent.


Catherine Short  18:27

Yeah. And that their ears are perked, that they they’re trained and ready for these kinds of phishing type of things. I have a question here. Now people being who they are and trying to avoid things, but do we really need to report all breaches, even if it’s only one patient?


Trey Scott  18:45

Our recommendation is yes. And the reason why is because the regulations require that anytime there is a breach you obviously need to notify the patient that there was in fact, a breach. So because you’re going through the process of notifying the patient that their information was breached, even if it’s one patient, you need to go ahead and take the next step of notifying the secretary as well, because the worst thing that could happen is that the patient find out that their information was breached, and then the patient reports that their information has been breached, and they want to do something about it to the Office of Civil Rights, and you haven’t reported. That could lead to an investigation by OCR and once they start digging around, they may find more things and it can potentially end up a situation where they ultimately determine what you did was willful neglect, and you can end up with a large penalty. You don’t want to end up doing that. My recommendation is to report everything. I think that is what the rule of notification to the Secretary is saying, because it’s saying, you shall report to the Secretary and isn’t saying that you could, it isn’t saying that if you want to, and isn’t saying that it’s if it’s less than 10 patients, you don’t have to, it’s saying that if a breach occurs, you shall, which means must. I would recommend to all your listeners, if they don’t have one, obviously, make sure you have a compliance program in place because a good compliance program has prevented a lot of our clients from facing those penalties by the Office of Civil Rights. If you have a great program in place that you’re actually using, because it’s almost worse to have a compliance program in place and not use it, than it is to just not even have one. Make sure you have a good compliance program in place and make sure you’re actually following it and using it. If you do have a breach, that will really limit potential penalties that you’re going to be facing,


Catherine Short  21:21

If we report a breach are there any financial penalties we might face?


Trey Scott  21:26

Yes, yeah, thank you. There are tiers. Tier one, that’s where it was a lack of knowledge, it was not really anything that was too egregious of a breach, you could face a fine of $100 to $50,000 per incident. If you had reasonable cause to know that the breach was possible to occur, then you can face a fine of $1,000 to $50,000 per event. Then there is willful neglect. That’s tier three, that is when you just straight up don’t have any procedures in place, you have no compliance program, you have nothing in place, then that can be a fine of $10,000 to $50,000 per event. The last category is neglect. This is not having a compliance program in place and then you end up having a breach and you still don’t have a compliance program in place after the breach, then that is just straight up neglect, that is not corrected. That’s category four, and that is $50,000 per violation. These numbers are actually adjusted for inflation. I don’t know what the current totals are, but they are adjusted for inflation.


Catherine Short  23:01

Okay, how about this? In your opinion, what is the main cause of a data breach? Is it hackers, ransomware or something else? What’s your opinion on that?


Trey Scott  23:12

Employees are the main cause of data breaches, whether it’s loss of laptops, whether it’s of theft of laptops, leaving it in a car while you go eat at a restaurant, and someone breaks in and steals it, cell phones, use of email to send medical records that aren’t encrypted, not changing access codes, having an easy password, clicking on links in email that they shouldn’t, which allows a hacker to get into your system. All of that it’s the main cause of breaches our employees. For example, going back to the improper disposal, the reason that breach occurred was because an employee, the office manager, in charge of paying for the storage facility, forgot to pay for the storage facility for several months, and they ended up throwing away all the records. The number one cause of avoidable HIPAA breaches are employees and and why training is so important and why you need a compliance program in place in your organization.


Catherine Short  24:31

Trey, I wanted to thank you again so much for being here today. So thank you.


Trey Scott  24:36

Yes, thank you. Thank you to all the attendees out there. I definitely appreciate getting to speak with you about OCR reporting. Hopefully this was beneficial. I know there were some areas we didn’t necessarily cover like notification to individuals and notifications to media, and just some other nuances about doing a risk assessment, things of that nature, but hopefully if you do have a breach this will allow you to report to OCR and if you want to get an attorney involved to help you report to OCR, feel free to give us a call.


Catherine Short  25:12

Very good. Thank you so much for being on our show today Trey and for helping out our listeners.


Trey Scott  25:19

Yes, thank you for having me. It’s always a pleasure. I’m glad I was able to talk about this and hopefully, it’s helpful to the listeners out there. And obviously, if you have any more questions that think up after listening to this, then I’m sure you can reach out to First Healthcare Compliance and they can get in touch with me or if you want to reach me directly, you can email me at trey@markkennedylaw.com. My direct line is 214-998-3825. So if you want to chat over the phone, because you have a really lengthy question, feel free to give me a call.


Catherine Short  26:15

Yeah, so thank you so much for being here. It was a true pleasure.


Trey Scott  26:18

Definitely can say the same!


Catherine Short 26:21

Me too.  Thank you so much and thanks to our audience as well for tuning in today to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and then your voice to the conversation on Twitter @1sthcc or #1sttalkcompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.