The deadline for covered entities to report data breaches that occurred in 2014 and affected fewer than 500 people is fast approaching. Under the federal Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to notify the Department of Health & Human Services (HHS) by March 1, 2015 for all breaches that occurred in 2014. Covered entities that fail to report such breaches are subject to fines, and in severe circumstances, criminal charges.
It's important to note that covered entities must also notify the affected person or persons when a breach occurs. This notification should consist of a written form, sent by either first-class USPS mail or e-mail, that specifies what information was disclosed, the steps taken to protect the information, when the incident occurred, and a toll-free phone number the individual can call for more information.
Disclosures affecting 500 or more people are handled differently, which is covered entities should familiarize themselves with HIPAA's Breach Notification Rule. If you experienced a breach that involved 500 or more patients/clients, you must notify the HHS Secretary without unreasonably delay, but no later than 60 days after discovering the breach. Even though the breach notification deadline is March 1, covered entities are still responsible for reporting breaches within 60 days.
Furthermore, breaches involving 500 or more people must also be reported to the media. The most common method for notifying the media of such disclosures comes in the form of a press release. The covered entity will typically create and submit a press release to one or more news agency, in which it describes the type of breach, when it occurred, who was affected (without providing names), and other information. This notification must also be sent without unreasonable delay and no later than 60 days after discovering the breach.
So, how do you report a breach? Covered entities can notify the HHS of a breach by using the online wizard located on their website (for disclosures affecting fewer than 500 people, click here – for disclosures affected more than 500 people, click here). If you have any questions, you can contact the HHS via toll-phone number (800) 368-1019.
Hopefully, this will give you a better understanding of HIPAA's Breach Notification Rule. Whether you're a doctor, dentist, chiropractor or any other covered entity, you must take a proactive approach towards reporting disclosures in a timely manner. The HHS website has a convenient, easy-to-use tool for submitting breach notifications, but it's ultimately your responsibility to take action.