Pursuant to HIPAA's breach notification
requirements (45 C.F.R. 164.408), all Covered Entities are required to
complete an online notification form to report these breach incidents to Health
and Human Services' Office of Civil Rights ("OCR") by March 1, 2014.
If more than one breach incident involving less than 500 individuals occurred
in 2013, a separate form must be completed for each breach incident. The form
will request certain information regarding the breach incident, including the
following:
- A brief description of what
happened, including dates of breach and discovery
- Approximate number of
individuals affected by the breach
- Description of the types of PHI
involved in the breach
- Location of the breach
information (laptop, computer, email, etc.)
- Brief description of the steps
taken in response to the breach
- Safeguards in place prior to
the breach
- Contact procedures, including, name and contact information for covered entity, and if the breach involves a business associate, the name and contact information for the business associate
In 2013, the definition of “breach” was
revised to mean “the acquisition, access, use or disclosure of protected health
information in a manner not permitted under subpart E [of the HIPAA Regulation]
which compromises the security or privacy of the protected health information.” Such acquisition, access, use or disclosure
is presumed to be a breach unless the Covered Entity or business associate
demonstrates that there is low probability that the PHI has been compromised
based on a risk assessment into the nature and extent of PHI involved, the
unauthorized person who used the PHI or to whom the disclosure was made,
whether the PHI was actually acquired or viewed, and the extent to which the
risk to the PHI has been mitigated. The
new definition then excludes certain
unintentional acquisitions, access, or use of PHI, inadvertent
disclosures, and good faith disclosures.
The online notification form that is to be
completed by the Covered Entity is available on the OCR website by clicking here.
For
more information on HIPAA breaches and reporting such please contact Meghan
McNab at mmcnab@kdlegal.com or Susan
Ziel at sziel@kdlegal.com.