Health centers that discovered breaches of unsecured protected health information (PHI) affecting fewer than 500 individuals in 2016 have until March 1^st to report the breaches to the Secretary of the Department of Health and Human Services (HHS).

Under the Breach Notification Rule, a covered entity’s breach notification obligations differ based upon the number of individuals affected:

• 500 or more individuals: The covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.

• Fewer than 500 individuals: The covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered.  The covered entity may also report such breaches at the time they are discovered.

Reporting Requirements

Breaches affecting fewer than 500 individuals are reported using the Office of Civil Right’s Breach Portal.  The covered entity must complete a separate notice for each breach incident.  All of the requested breach information must be entered into the Breach Portal at once.  The Breach Portal does not allow covered entities to save the information to be completed at a later date.

In order to complete the breach notification report, health centers should gather the following information about each breach prior to starting to enter the report(s):

• Contact information: For the health center and any business associate involved in the incident
• Breach start and end date
• Discovery start and end date
• Number of individuals affected
• Type of breach*
• Location of breach*
• Type of PHI involved*
• Brief description of breach: Up to 4000 characters
• Information on the safeguards in place prior to the breach*
• Individual notice start date and projected/expected end date
• Information about whether substitute notice was required and if so, whether it was required for 10 or more individuals
• Information about whether media notice was requried and if so, in what states
• Information on the actions taken in response to the breach*

* The Breach Portal requires covered entities to select from a pre-populated list of answers for these questions.  According to OCR, if only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.

Health centers should take care to assure their responses are accurate and complete, demonstrating that the health center has taken corrective action required by the Breach Notification Rule.

Health centers should print and retain a copy of the breach notification form from the summary page prior to submission.

Additional resources:  The HIPAA Privacy Toolkit contains the following updated and new documents to help health centers meet their reporting requirements:

• UPDATED: Sample:  Breach Incident Log
• NEW: Sample Form:  Breach Notification Reporting Template

For more information about HIPAA, please contact an attorney at Feldesman Tucker Leifer Fidell LLP at (202) 466-8960.