If you are a HIPAA-covered entity, it’s that time of year to make sure you have cataloged and reported breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. The deadline for reporting breaches affecting fewer than 500 individuals for the 2021 calendar year was March 1, 2022.
OCR requires specific information about a covered entity’s “under 500 breaches,” much like the detailed reporting for larger breaches. Each breach incident reported through the OCR breach portal requires supplying information including details about when the breach incident was discovered, when notifications to individuals were made, the root causes of the breach incident, and steps the covered entity has taken to mitigate another occurrence.
We recommend a strategic approach in the development of the information to be reported through the OCR portal. OCR will act on the information supplied by the covered entity, and it will influence the interest the agency takes in conducting a review of the incident. Providing inaccurate information about a breach or an organization’s mitigation efforts can lead to big problems. We have some tips that could help your organization develop its strategy in reporting through the OCR breach portal:
- Pay attention that the date on which the breach is discovered is no more than 60 days from when individuals are notified. The Breach Notification Rule requires a covered entity to send notification to the individual(s) whose PHI was compromised no later than 60 calendar days following discovery of a breach. If there is more than a 60-day delay in notifications, be prepared to explain why.
- Keep the explanation of how the breach occurred short, simple, and to the point. Sometimes organizations provide a detailed explanation that can be perceived as indicating poor compliance practices or systemic failures to safeguard PHI when the incident can be shown to have been an isolated occurrence. It is better for the initial breach report to be a short summary of the facts and to save the details for any follow-up review conducted by OCR.
- When reporting the actions an organization has taken to fix compliance problems or safeguards put into place to address the root cause of the breach incident, ensure that the mitigation activities can be demonstrated or documented through the risk management plan.
What is clear from OCR’s recent enforcement actions and resolution agreements is that the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in an organization’s culture and day-to-day business practices.
If you have questions about breach reporting requirements or the breach reporting portal, please contact us at [email@example.com].
-David Holtzman JD, CIPP US/G