Has you practice experienced a data breach affecting fewer than 500 patients recently? If so, you are legally obligated to report it to the appropriate authorities. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates that all covered entities report data breaches, and failure to do so could result in a fine. So, what's the correct way to report a data breach involving fewer than 500 patients?
What Is a Breach?
Let's first go over the basic of a breach, as many covered entities are confused regarding this terminology. The Department of Health and Human Services (HHS) defines as breach as being “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”
Reporting Data Breaches
For data breaches involving fewer than 500 patients, covered entities are required to notify the Secretary within 60 days from which the breach was discovered. It's important to note that the 60 days begins when the breach was discovered, not when it occurred. Some breaches aren't discovered until months or even years later, making it next-to-impossible for the covered entity to report it within this time frame. As long as you report within 60 days from when the breach was discovered, however, you will remain compliant under the HIPAA Data Beach Notification Rule.
All reports of data breaches involving fewer than 500 patients must be done electronically through the HHS website. To do this, visit https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true and follow the on-screen wizard. It will walk you through the steps of creating and sending a report about the data breach. Once the HHS has been notified, there's no further action required on your part.
Do I Need To Notify The Media?
It's a common assumption that covered entities must notify the local news when a data breach occurs. However, this requirement only involves data breaches affected 500 or more patients. As long as the breach affected fewer than 500 patients, you do not have to report it to the media or news.