Have you recently discovered a breach of Protected Health Information (PHI) at your healthcare practice. The Department of Health and Human Services (HHS) requires all covered entities to send an official notice in the event of such breaches. This requirement is part of HIPAA's Breach Notification Rule, and failure to follow it could result in fines or other penalties.
“The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information,” wrote the HHS on its website.
First and foremost, it's important to note that the HHS separates breaches into two categories: breaches affecting fewer than 500 individuals, and breaches affecting 500 or more individuals. The latter is obviously more serious, and this it requires extra steps taken on behalf of the covered entity.
According to the HHS, covered entities must notify their respective Secretary of State within 60 days of the end of the calendar year when it discovers a breach affecting fewer than 500 individuals. Keep in mind that this doesn't mean that you should wait until the end of the year to report a breach, but rather you have up until 60 days from the end of the year during which the breach was discovered to report it. The HSS doesn't specify an exact date for reporting breaches, but it's still a good idea to notify the Secretary in a timely manner when a breach is discovered.
Breaches involving Protected Health Information can be reported either in writing or over the Internet. If you wish to report a breach online, visit https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true and follow the on-screen instructions. The HHS recently revamped its online breach notification tool to include a helpful wizard. Upon visiting the aforementioned URL, choose the report type “e.g. Initial Breach or addendum to an existing report,” and click Next. The Wizard will then walk you through the steps required to report the breach. It's a quick and easy process that most doctors prefer over written breach notifications.
Hopefully, you will never have to report a breach to the HHS. But there's a good reason why the department created the Breach Notification Rule: it's designed to notify both the public and the healthcare customers affected by the breach so they can take the necessary precautions to mitigate the damage.