OCR Raises the Stakes Again with Updated Breach Reporting Requirements

February 4, 2015 David Holtzman

Updated OCR Breach Portal Requires Disclosing Compliance Gaps

HHS-logo

The HITECH Breach Notification Rule requires HIPAA covered entities to report breaches of unsecured protected health information (PHI) to the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS). Under the Breach Notification Rule an unauthorized use or disclosure of PHI by a covered entity or their business associate is presumed to be a breach unless the organization can demonstrate through a risk assessment that there is a low probability that the confidentiality of the information was compromised.

The HITECH Act defines “unsecured Protected Health Information” as PHI that is not secured through the use of technologies or methodologies, as specified in guidance by the Secretary of HHS, that render the PHI unusable, unreadable, or indecipherable to unauthorized individuals. In April 2009, HHS issued guidance indicating that in order for PHI to be secured, it must be encrypted or destroyed according to standards established by the National Institute of Standards and Technology.

The Breach Notification Rule requires a covered entity to notify HHS following the discovery of a breach of unsecured protected health information. With respect to breaches involving 500 or more individuals, HHS requires notification be sent concurrently with the notification sent to the individual (i.e., without unreasonable delay but in no case later than 60 calendar days following discovery of a breach). The rule further requires that the notifications to the government be provided through the HHS website.

However, OCR now requires the same level of specific detail for small breaches as required for large breaches when reporting them to HHS. For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to maintain a log or other documentation of such breaches and they must submit information annually to HHS for breaches occurring during the preceding calendar year. They must report it no later than 60 days after the end of each calendar year. As with notification of the larger breaches, the rule further requires that the notifications to the government be provided through the HHS website.

What is clear from OCR’s changes to the breach reporting portal, as well as from recent enforcement actions and resolution agreements, is that the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in these organizations’ respective cultures and day-to-day business practices. Nor may entities that timely report a privacy or security breach resulting from a stolen laptop realistically believe that they can avoid investigation and potential civil monetary penalties. Now, HHS is looking behind the stolen laptop (the symptom) to identify if sufficient attention has been paid to HIPAA privacy and security requirements, as well as reviewing the mechanisms that could have brought the risk to light sooner and potentially prevented the theft in a timely manner (the cause).

Previous Article
Have You Recently Attended One of Our HIPAA Compliance Workshops?
Have You Recently Attended One of Our HIPAA Compliance Workshops?

CynergisTek appreciates everyone that attends our educational events. We are always looking to improve the ...

Next Article
CynergisTek to Participate in CHIME & Health IT Summit Events
CynergisTek to Participate in CHIME & Health IT Summit Events

CynergisTek announced today that it will continue to support the healthcare information security industry b...

×

Subscribe to Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Company
Thank you!
Error - something went wrong!