The next HHS deadline regarding reportable breaches of unsecured PHI is March 1, 2014. Read on to learn about the specifics of this deadline, what it means to your organization and action steps you can take today.
The Breach Notification Rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured protected health information (PHI). § 45 CFR 164.408
The number of individuals affected by the breach determines when the notification must be submitted to the Secretary.
For breaches of unsecured PHI that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice no later than 60 days after the end of the calendar year in which the breaches were discovered.
IT’S IMPORTANT TO NOTE that the Omnibus Final Rule clarified that notification to the Secretary (for breaches affecting fewer than 500) is to occur within 60 days of the end of the calendar year in which breaches were discovered versus occurred.
Notice of Breaches Affecting Fewer than 500 Individuals Discovered in 2013
Annual notice must be submitted electronically. All information required on the breach notification form must be provided. For every breach that was discovered during calendar year 2013, a separate form must be completed and submitted no later than March 1, 2014.
As the HHS website instructs: if at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
Submit Notice to the Secretary of a breach impacting fewer than 500 individuals.
Ask Questions regarding the completion and submission of this form.
The Required 4-Factor Risk Assessment: What You Need to Do for Proper Breach Determination under HIPAA Omnibus Rule
Before the start of enforcement of the HIPAA Omnibus Rule on September 23, 2013, HIPAA covered entities reported breaches based on a more subjective "risk of harm standard," which had entities weigh whether an incident was likely to cause financial, reputational or other harm to an individual.
Under the updated Breach Notification Rule included in HIPAA Omnibus, organizations now must consider 4 factors in assessing breach incidents.
Unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate that there is a “low probability” that the PHI has been compromised based on a risk assessment evaluating these 4 factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated
If evaluation of these four factors fails to demonstrate low probability that the PHI has been compromised, breach notification is required.
THERE IS SAFE HARBOR: No breach notification is required for PHI that is encrypted in accordance with the “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” (74 Federal Register, Pages 42740, 42742).
Stericycle Provides the Essentials for HIPAA Omnibus Final Rule Compliance
Stericycle’s Steri•Safe HIPAA Compliance Solution combines all the elements you need to Teach, Document, Assess and Sustain compliance with Omnibus regulations year over year.
Besides on-site consultation for HIPAA risk analysis and annual staff training, we deliver extensive online resources that are continually updated as regulations change.
Our HIPAA policy library has all the essential templates and resources you need to maintain HIPAA recordkeeping and properly conduct the required risk assessments for breach reporting.