Share this article on:
The deadline for reporting security breaches (involving fewer than 500 individuals) from 2014 is in a little over three weeks. Any healthcare provider or other covered entity that has not submitted all 2014 breach reports must ensure they have all been filed – and are updated – via the HHS website portal by the March 2, 2015 deadline.
All organizations covered by the Health Insurance Portability and Accountability Act are required to report breaches affecting more than 500 individuals within 60 days of the discovery of the breach according to HIPAA Breach Notification Rules. The Office for Civil Rights must be informed, while all individuals affected by the breach also need to be notified to allow them to take the necessary steps to mitigate any damage caused.
Covered entities are also required to report breaches affecting fewer than 500 individuals to the Department of Health and Human Services, although the breach reports only need to be submitted once per year. A failure to submit a breach report – or submitting inaccurate breach reports – is a violation of the HIPAA Breach Notification Rule, and could see the OCR issue a fine for non-compliance or may trigger a full HIPAA compliance audit.
Web Portal Changes
Recent updates to the HHS breach reporting portal included a change to the format – a new wizard has been installed – and amendments to the information which must be provided to the OCR about data breaches. More detailed information needs to be submitted covering the actions that have been taken in response to breaches. The change of system so close to the reporting deadline may put some healthcare providers under pressure if they do not have all the required information in their breach logs.
Reporting Best Practices
Now is a good time to put policies in place covering future breach reports and to incorporate the recent changes to the breach reporting portal into procedures. The HHS does not stipulate when small breach reports should be made – other than providing an annual deadline – but a good best practice is to file breach reports as soon as the preliminary investigations have been completed.
Further information can be added as addenda – such as the actions taken to address security vulnerabilities identified by the breach. A final check of submitted breach reports can then take place as the deadline approaches. This ensures all information required by the OCR is obtained and provided at a time when it is easiest to collect.
The change to the web portal should serve as a reminder to HIPAA-covered organizations that the OCR is looking closely at all data breaches, not just those affecting thousands of individuals. The additional detail required for small breach reports suggests they are now being scrutinized and that the OCR is looking closely at risk management strategies that have been implemented in response to breaches to address all security vulnerabilities that they expose.