Health Information Security Breach Reporting Deadline: February 28th

Michelle Bilsky, CHCO, LHRM, MLA, CBA // February 20, 2017

The breach notification rule, which is part of the HIPAA Omnibus, states that if a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered. That makes February 28th the last day to report incidents for the 2016 calendar year.

Definition of Breach

A breach is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

3 Exceptions

  1. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  3. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Click here to report a Breach to the Secretary of Health and Human Services.

 

E-mail RiskManagement@MedMalDirect.com if you have questions about what should be reported and what is “not reportable”.

The guidelines or recommendations suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

*Information courtesy of HHS.gov