The HIPAA Breach Notification Rule requires covered entities to notify the Secretary of the Department of Health and Human Services (HHS) if a breach of unsecured protected health information (PHI) is discovered. As most entities are aware, if a covered entity has a breach of unsecured PHI that affects more than 500 individuals in a jurisdiction, a covered entity is required to notify the Secretary contemporaneously with notification to the affected individuals.
If a covered entity has a breach of unsecured PHI that affects fewer than 500 individuals, it is required to notify affected individuals within a reasonable time but no later than 60 days after the breach is discovered. In that situation, the covered entity is also required to notify the Secretary within 60 days of the end of the calendar year (March 1) in which the breach was discovered. The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but a separate notice for each breach incident is required. The notice must be submitted electronically via HHS's website. As covered entities have experienced issues with the website, we strongly discourage them from waiting until the last minute when reporting.
The Office of Civil Rights (OCR) within HHS is charged with civil enforcement of the HIPAA Rules. Pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act amendments to HIPAA, OCR is required to conduct audits to ensure that both covered entities and business associates are complying with HIPAA's requirements. OCR has indicated that it will begin audits of 350 covered entities and 50 business associates in 2015. The audits will focus on the entities' risk analysis and risk management, notice of privacy practices and content and timeliness of breach notification. Given the scrutiny that OCR is placing on breach notification, covered entities need to be diligent in reporting breaches to both affected individuals and HHS.
Contact a member of Baker Donelson's Privacy and Security team if you have concerns regarding your breach notification policies and procedures or for assistance with reporting breaches to HHS.