Feb 29th is Last Day to Report Breaches of <500 to HHS!
For those that have been logging their “small” Breaches (i.e., less than 500 individuals affected) and waiting to report them to HHS at the end of the year, next Wednesday, February 29th is the LAST day to get your information entered into HHS’ Breach reporting website. While covered entities may opt to report each small Breach to HHS throughout the year (i.e., including the onsies and twosies), the other option is to log each small Breach during the calendar year and report all such small breaches to HHS within 60 days of the end of such applicable calendar year.
A couple of important points to note about reporting small breaches to HHS:
First, the HHS-reporting “buck” stops with the covered entity, not the Business Associate. Even if a breach was caused by a Business Associate (BA), under the current HITECH Breach Rule the BA’s only reporting obligation is to the covered entity; the covered entity is solely responsible for reporting all reportable Breaches to HHS.
Second, follow a ‘GOLDILOCKS rule’ of ‘Not too much, not too little — just right’. Covered entities must report all relevant information requested on HHS’ online reporting form. However, there are several fields that ask for a typed response. For example, HHS asks for a “brief description of the breach” including how it happened, any additional information about the breach, type of media and PHI. HHS similarly asks the covered entity to describe “other actions taken” in response to the Breach. But, while a covered entity must report what it is required to report by law, offering too much infomation (including impermissibly disclosing patients’ PHI, among other things) could land the covered entity in hot water.
Finally, you better have remembered to collect ALL the required information on your Breach Log! A covered entity that is planning to report small Breaches at the end of the calendar year must plan ahead and know what information to collect and document, and hint: it’s a lot of information that you might not be able to recall at the end of the year unless you documented it as you went along. Among the information that covered entities should be collecting about each “small” breach includes:
- Date of the Breach?
- Date the Breach was Discovered?
- Approximate number of individuals affected?
- What “type” of breach was it? (select: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, or unknown)
- Location of the Breach? (select: laptop, desktop computer, network server, e-mail, portable electronic devices, electronic medical record, paper, other)
- What type of information was involved? (select : demographic info, financial info, clinical info, other)
- What safeguards were in place prior to the Breach? (select: firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, antivirus software, intrusion detection, biometrics)
- Date individuals were notified? (note: that this date should never be more than 60 days after the Date of Discovery entered, and in any case any “unreasonable delay” in notifying individuals (even if less than 60 days) could be a trigger a closer look by HHS).
- Actions taken in response (select : privacy & security safeguards, mitigation, sanctions, policies and procedures, or other)
Even though HHS withdrew the Interim Final Breach Notification Rule during the summer of 2010 (and even though we continue to wait for a final revised version of that rule to be published), covered entities are still required to report all Breaches (if there is a positive “Harm” determination) to HHS. HHS specifically points out on its website that “[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.”
For Breach Notification training & education, click our Workshops button.