March 1st Deadline for 2013 HIPAA Breach Reports
The U.S Department of Health and Human Services requires all HIPAA covered entities to submit annual reports of HIPAA breaches, and the deadline for submitting 2013 breaches is fast approaching. While there is a requirement under the Breach Notification Rule for healthcare institutions and their business associates to notify the HHS of any breaches involving more than 500 individuals without delay, smaller breaches affecting fewer than 500 individuals only need to be included in an annual report. HIPAA-covered entities now only have a few weeks to submit the reports, which must be received by the HSS no later than March 1st, 2014.
A PHI breach involving less than 500 individuals must be reported to the HHS within 60 days of the end of the calendar year during which the breach was discovered. Therefore any data breaches identified during 2013 must now be included in the report to the HHS. In many security breaches it is not immediately clear how many individuals have been affected. If an investigation is still ongoing, the entity in question should provide an estimate of the number of individuals affected and once the final number is known it can be submitted to the OCR as an addendum at a later date.
The release of the HIPAA Omnibus Rule, which came into effect on September 23, 2013, changed how covered organizations must assess and report data breaches. Before the introduction of the new rule, healthcare organizations were required to make a subjective assessment based on the potential harm caused by a breach under the “risk of harm standard”. Now the assessment process is more involved, requiring a 4-factor risk assessment to be conducted on any potential security breach involving unencrypted PHI.
In the case of a low probability of disclosure of PHI a breach notification does not need to be issued; however if this cannot be determined with any degree of certainty the incident must be treated as full breach. The organization must therefore comply with breach notification rules and alert those affected to the potential disclosure of their PHI.
4-Factor HIPAA Breach Risk Assessment
- Assessment of the “nature and extent” of the breach, the data potentially exposed and any personal identifiers present ion the data.
- Who accessed the PHI and the person or persons to whom PHI has been disclosed?
- Determination of the exact data viewed, acquired or accessed as a result of the breach
- Whether any potential loss or damage has been mitigated.
Following this assessment a HIPAA covered entity should determine whether a breach notification should be issued and whether the incident should be reported immediately to the OCR.