Each year, health centers ask whether they really are required to report small breaches (those affecting fewer than 500 individuals) to the Office for Civil Rights (OCR) for the Department of Health and Human Services (HHS). The answer is, “yes” and the deadline for reporting last year’s small breaches is fast-approaching. Here is what your health center needs to know in order to comply:
Under the HIPAA Breach Notification Rule, covered entities (and their business associates) are required to provide notification to affected individuals and to OCR following a breach of unsecured protected health information (PHI). Here are the notification requirements for breaches affecting fewer than 500 individuals:
To affected individuals: Individuals affected by a breach must be notified without unreasonable delay and in no case later than 60 days following the discovery of a breach. Covered entities must provide notice in writing by either first-class mail or e-mail (only if the affected individual has agreed to receive such notices electronically).
The notice should include:
- A brief description of the breach
- A description of the types of information involved in the breach
- Steps affected individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
- Contact information for the covered entity (or business associate, as applicable).
To HHS: Breaches affecting fewer than 500 individuals must be reported to HHS within 60 days of the end of the calendar year in which the breach was discovered. This means that breach notices affecting 500 or fewer people must be submitted no later than the end of February of the year after the breach was discovered. Breach notices can be submitted here.
Investigation and Enforcement
In 2016, OCR announced that its Regional Offices would expand their investigations into breaches affecting fewer than 500 individuals. OCR stated that the factors it will take into consideration when deciding whether to investigate smaller breaches include:
- Size of the breach: The number of individuals affected
- Type of PHI involved: The amount, nature and sensitivity of the PHI involved
- Unencrypted PHI: Whether the breach involved the theft of or improper disposal of unencrypted PHI
- Intrusions to IT systems: Whether the breach involved unwanted intrusions to IT systems (e.g. hacking)
- Similar reports from the covered entity: Whether there are numerous breach reports from the covered entity or business associate raising similar issues
- Reports from like-situated covered entities: Whether like-situated covered entities have reported similar breaches
Several of OCR’s recent settlements have related to breaches affecting fewer than 500 individuals. For example, OCR’s investigation into the breach of one patient’s information revealed additional small breaches by the covered entity and resulted in a settlement of over $380,000. Another settlement announced in 2017 related to the breach of one patient’s information and resulted in a $2.4 million settlement with the covered entity.
For breaches affecting fewer than 500 individuals, health centers must comply with the HIPAA requirements to notify the individuals affected and to notify HHS. To meet these requirements, health centers should:
- Create an action plan to determine when a breach has occurred
- Develop a system for tracking and reporting breaches
- Create sample letters to provide notification to individuals should a breach occur
- Ensure information about the breach and the covered entity’s response is retained as required under HIPAA and relevant state laws
Does your health center understand all of the legal requirements under HIPAA? Interested in learning more about HIPAA compliance?
Please join me for a two-day, small group HIPAA training, developed specifically for Federally Qualified Health Center (FQHC) staff responsible for privacy, security, compliance and/or executive and management staff at FQHCs.
HIPAA: Fundamentals – February 13th -14th, Washington, DC
HIPAA Breaches: Determining Whether a Breach has Occurred and the Reporting Requirements – February 8th at 1:00 EST