The HIPAA Omnibus Rule, published January 25, 2013, brought a number of changes to the HIPAA privacy, security and breach notification regulations. What has not changed, however, is the requirement to notify the Secretary of HHS of all breaches of unsecured protected health information that affected fewer than 500 individuals during a calendar year. This notification must be submitted no later than 60 days after the end of the calendar year during which the breach occurred*, or, in other words, by March 1. The notification must be submitted electronically, using a form posted on the website of the Office for Civil Rights (OCR). A separate form must be submitted for each breach that occurred during the calendar year. Additional instructions regarding the notification requirements for breaches affecting fewer than 500 individuals are also provided on the website.
During the course of the calendar year, a hospice should have maintained a log of all known breaches of unsecured protected health information. The breach may have been discovered by the hospice or the hospice may have been notified of a potential breach by one of its business associates. The hospice would have conducted a risk assessment to determine if in fact a breach had occurred. If there was a breach that affected fewer than 500 individuals, the hospice would have followed other notification requirements (for example, notifying the affected individuals) and documented the information related to the breach necessary for completing the annual notification form.
If you are at all unsure regarding breach notification requirements or whether or not an actual breach has occurred at your hospice or through one of your business associates, discuss the situation with legal counsel before submitting the annual notification. Breaches of unsecured protected health information can have significant negative consequences and the regulations can be confusing.
* Note: The HIPAA Omnibus Rule changed the requirement from the calendar year during which the breach occurred to during which the breach was discovered.
Posted by Heather WIlson, PhD CEO Hospice Education Network