The Health Cover Portability and Accountability Law’s Breach Notice Law requires all protected units to inform breaches of unsecured electronic safeguarded health info to the Division of Health and Human Services’ OCR.
Although large data breaches – those affecting 500 or more people – should be informed to OCR within two months of the detection of the breach, protected units can postpone the recording of smaller data breaches.
Although patients should be alerted of any breach of their ePHI within two months – irrespective of the number of people impacted by the breach – notices of security incidents aren’t needed by OCR until two months following the culmination of the calendar year during which the data breaches were disclosed.
The cutoff date for recording 2016 healthcare data breaches affecting less than 500 people is March 1, 2017.
Like with bigger data breaches, all smaller cases should be submitted through the OCR breach recording tool. Although smaller data breaches can be informed together, each breach should be entered into the breach recording tool individually together with any backup information.
Even when the complete particulars of the breach aren’t yet known, protected units must present the details prior to the March 1 cutoff date. An appendix can be attached to the breach information when additional information becomes obtainable.
It’s greatly desirable to label the reporting of breaches to one person and for the procedure of uploading the breach reports to begin as soon as possible. Protected units must not delay until February 28 to upload their breach details. The late recording of healthcare data breaches would be a breach of the HIPAA Breach Notice Law, and as we have observed this year, penalties for late breach notices can be imposed.
In January, OCR acted versus Presense Health Network for needlessly postponing the issuing of breach notification letters to sick persons. Presense Health had to pay OCR $475,000 to resolve the case.