Breach Notification Requirements

Breach Notification Requirements " Questions and Answers

The deadline for submitting notice of a breach affecting fewer than 500 individuals is less than one month away. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered. As a general rule of thumb, we recommend providing notice to the secretary as soon as possible, but no later than February 28, 2015.

What are some incidents that may require breach notification?

According to OCR, the compliance issues investigated most are:

1. Impermissible uses and disclosures of protected health information;

2. Lack of Safeguards of protected health information;

3. Lack of patient access to their protected health information;

4. Lack of administrative safeguards of electronic protected health information; and

5. Use or disclosure of more than the minimum necessary protected health information.

Can I submit one report with all of our breaches from this past year?

You may report all of your breaches affecting fewer than 500 individuals on one date; however, you must complete a separate notice for each breach incident. The notice must be submitted electronically. Click on Submit a Notice for a Breach Affecting Fewer than 500 Individuals and complete all the fields of the breach notification form. Remember, one report should be completed for each breach.

What if I already submitted a breach to HCP; is a notice to the Secretary still required?

Yes, you are required to report the breach to the Secretary of HHS. Our online breach log allows you to log incidents and/or breaches that have occurred throughout the year. Additionally, you may elect to have a certified HCP professional review your submitted breach report for breach determination and breach mitigation services. Under the HIPAA Breach Notification Rule, 45 CFR 164.400-414, covered entities and their business associates are required to provide notification following a breach of unsecured protected health information. If you submitted your breach using our online breach log, you still need to submit that breach online at the HHS website. Our online breach log, however, should contain all the necessary information required by HHS.

Can one of HCP's certified professional's help me if I have questions while providing notice to the secretary?

Yes. While we can't complete the notification and attestation for you; we can provide assistance with the notification process. If you are already signed up for our breach determination and breach mitigation services, you may reach out to us for support during this process.

If you have any questions about providing notice to the Secretary or for more information about the breach determination and breach mitigation services we provide, please feel free to comment below or send us an email at [email protected] or reach us toll-free at 855-427-0427.