It is that time of year again... to notify the government of any breaches of unsecured protected health information discovered during 2013 that affected less than 500 individuals. The deadline is March 1, 2014.
I was going to write a list of FAQ's about the breach notification requirements for this blog post. However, questions about this HIPAA requirement are not frequently asked - at least not of me. So instead, the following are some questions and answers about breach notification and the March 1 deadline. Perhaps you will discover answers to questions you were too afraid, or, more likely, too busy to ask.
Q: What is this HIPAA deadline?
A: Every year hospices must be certain they have reported all breaches of unsecured protected health information that affected fewer than 500 individuals within 60 days of the end of the calendar year during which the breach was discovered. March 1st is 60 days after the end of the calendar year.
Q: What is a reportable breach of unsecured protected health information?"
A: A "breach" means the acquisition, access, use or disclosure of protected health information in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. The breach is reportable if, after conducting a breach risk assessment, you determine that the breach involved protected health information that was not secured or did not meet one of the breach exceptions specified in the regulations.
Q: What about breaches that affect more than 500 individuals?
A: Hopefully you won't have any but, if you do, there are different reporting requirements that you can read about on this website.
Q: What if we reported breaches affecting less than 500 individuals before March 1st?
A: That is fine. March 1, 2014 is just the final deadline for doing so for any breaches discovered during 2013.
Q: What if the reportable breach occurred in November 2013 but we did not find out about it until January of 2014?
A: In this situation the final deadline for notifying the government of that breach would be March 1, 2015 since the breach was discovered in 2014.
Q: Is March 1st also the deadline for reporting the breach to affected individuals?
A: No. Whether the breach affected more than 500, less than 500 or only one person, the affected individual must be notified no later than 60 days after the breach was discovered.
Q: What information are we required to report by March 1st?
A: If you go to this website you will find the form that is used for notifying the government of breaches of unsecured protected health information. On that form you can clearly see the information that needs to be collected and reported about each breach.
Q: How are we supposed to report this information?
A: The information must be reported electronically using the form referenced above. A separate form must be submitted for each reportable breach that occurred during the calendar year.
Q: Will we get in trouble if we report a breach?
A: You might. A hospice that was diligent in meeting the breach notification requirements ended up paying a $50,000 fine for a reportable breach that occurred in 2010. I always thought this was rather unfair and that the hospice was being used by the government to demonstrate that even small covered entities could get in trouble for HIPAA violations. In the press release on this issue the Office of Civil Rights Director Leon Rodriquez stated: "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information."
Q: Will we get in trouble if we do not report a breach?
A: You might. With the increased HIPAA enforcement activities and penalties, the risk of non-compliance and significant penalties is higher than ever before. At Weatherbee, we never recommend the "proceed until apprehended" approach to compliance. Instead, if you have concerns related to reportable breaches of protected health information, we recommend you contact your legal counsel ASAP to discuss your options.
For more information on reportable breaches, how to conduct a breach risk assessment, securing protected health information and compliance with breach notification requirements see my downloadable manual entitled The HIPAA Omnibus Rule: What Hospices Need To Know and Do.
Posted by Heather P Wilson, PhD, CEO, Weatherbee Resources, Inc