Deadline Reporting Small Breaches ­­– March 2, 2018

06Days 00Hours 42Minutes 27Seconds

HIPAA breaches involving fewer than 500 individuals, which occurred during 2017, must be reported to the U.S. Department of Health and Human Services (HHS) by Friday, March 2, 2018.

When do Small Breaches need to be Reported?

Every breach involving fewer than 500 individuals must be logged when it happens. You can collect the details of these breaches and report them to the Secretary of HHS within 60-days of the end of the calendar year or you can report them throughout the year as they are documented. Every breach needs to be included regardless of how minor the incident or how few individuals are involved. 45 CFR § 164.408. Covered entities must notify the Secretary by filling out and electronically submitting a breach report form on the HHS website. You also have the opportunity to download a sample form to understand the information HHS is looking for with each incident.

If the number of individuals affected by a breach is uncertain at the time of submission, the Covered Entity (CE) or Business Associate (BA) should provide an estimate, and, if it discovers additional information later, the CE/BA should submit updates as indicated on the HHS form.

If the CE or BA decides to report all breaches affecting fewer than 500 individuals on one date, a separate notice must be completed for each breach incident.

Breach Examples

A simple oversight or event may be classified as a HIPAA breach. Here are a few examples from the HHS website:

  • MAPFRE Life Insurance Company of Puerto Rico was fined $2.2 million for a breach involving a stolen unencrypted USB drive affecting 2,209 individuals.
  • Briggs & Stratton Corp., a maker of gasoline engines for outdoor power equipment, reported to HHS a health data breach affecting about 13,000 individuals. The breach was a “hacking/IT” incident involving the company’s health plan because of a surge of malware and could have allowed a third party to access, use, and/or disclose individuals’ account-related, human resources and/or health plan information.
  • A municipal social service agency disclosed Protected Health Information (PHI) while processing Medicaid applications by sending consolidated data to computer vendors that were not Business Associates.
  • A mental health center did not provide a Notice of Privacy Practices to a father or his minor daughter, who was a patient at the center.
  • A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.
  • A grocery store based pharmacy chain maintained pseudoephedrine log books containing PHI in a manner so that individual PHI was visible to the public at the pharmacy counter.
  • A law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. The pharmacy chain and the law firm had not entered into a Business Associate Agreement.

Here’s a  full list of examples from the Health and Human Services’ website.

Will I Be Penalized for the Breaches that I Report?

No, you will not be penalized. Logging your breaches throughout the year demonstrates to HHS that you are doing your best to comply with HIPAA. You acknowledge when any PHI has potentially been compromised and that you have taken measures to make sure the same breaches do not happen again in the future.

Not logging breaches, however, can carry serious consequences as HHS sees it as a failure to cooperate. It is also a requirement for the appropriate employees in your organization to be trained specifically on how to log a breach. Should you be audited and your employees cannot demonstrate knowledge of the breach report logging process, you could be penalized.

What if My Business Associate Logged the Breach?

If your Business Associate logged the breach and you have designated them as responsible for reporting the breach, that is fine. However, you will want to review the breach report before they file it to make sure it is correct, and then follow up with them before March 2nd to be sure that it has been filed.

Looking Ahead

If you didn’t log any breaches last year, now is an excellent time to make sure you have a process in place for logging breaches and that your employees are trained on implementation procedures. The Breach Notification Portal in the HHS website will lead you through the complete process for reporting. If you need help getting started or assistance on the department’s site, email ocrprivacy@hhs.gov or call toll-free: (800) 368-1019, TDD toll-free: (800) 537-7697.