Part of maintaining a Health Insurance Portability and Accountability Act (HIPAA) compliant healthcare practice is knowing what to do in the event of a data breach. Let's hope it never happens, but if your practice's data is ever compromised, you'll need to follow some basic steps to ensure the appropriate parties are notified of the incident. In this post, we're going to discuss the HIPAA Breach Notification Rule involving 500 or more individuals.
The Breach Notification Rule breaks down Protected Health Information (PHI) breaches in one of two different categories: those involving fewer than 500 individuals, and those involving 500 or more individuals. Conventional wisdom should lead you to believe that data breaches involving 500 or more individuals are more severe, and thus they have more requirements regarding notifications. It's not uncommon for doctors or other healthcare practices to accidentally misplace patient files, resulting in small, limited breaches. When a breach involves 500 or more individuals, however, it requires certain steps to handle that cannot be overlooked.
So, what should you do if your healthcare practice experiences a PHI data breach that involves 500 or more individuals? Under the HIPAA Breach Notification Rule, you must notify the Secretary of the Department of Health and Human Services (HHS) “without unreasonable delay,” and no later than 60 days the date on which the breach was discovered.
This notice must be filed electronically by visiting https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true and following the on-screen directions. This involves entering your contact information, whether you are are covered entity or business associate, your information, details of the breach, actions taken since the breach, etc. The form is rather lengthy but it's critical to ensuring compliance with HIPAA. Once the HHS receives the notification form, they will reveal it to determine whether further action is required.
Section 13402(e)(4) of the HITECH Act requires the Secretary to publish and maintain a list of all PHI breaches involving 500 or more individuals. By visiting https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf you can see a list of each and every data breach involving 500 or more individuals, along with the state in which the breach occurred, the type of entity (e.g. healthcare provider, business associate, or health plan), how many individuals were affected, breach submission date, type of breach, and location of breached information. According to the list, the recent Anthem, Inc. breach affected the higher number of individuals, with more than 78 million persons' records compromised.