You may have been hearing a lot about HIPAA breach notification reporting lately and for a good reason. The deadline to report small-scale breaches to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is March 1st. When reporting breaches to the HHS OCR, they require you to submit a HIPAA Breach Notification Form.
Before completing the form, it is important to understand what types of incidents are reportable, which breaches are required to be reported by March 1st, and what information you will need to complete the HIPAA Breach Notification Form.
What Types of Incidents Are Reportable?
Not all incidents are considered reportable breaches. The HIPAA regulation only requires reporting of unsecure protected health information (PHI). For example, a laptop with access to electronic PHI is stolen, but the laptop is encrypted to prevent unauthorized access. This is not a reportable breach since the ePHI on the device is inaccessible.
There are several incidents that are reportable, however, including:
- Hacking or IT incidents
- Unauthorized access or disclosure of PHI
- Theft or loss of an unencrypted device with access to ePHI
- Improper disposal of medical records
Since all of the incidents mentioned above can lead to PHI access by an unauthorized party, they are all reportable under the HIPAA Breach Notification Rule.
Which Breaches Are Required to be Reported by March 1st?
Breach reporting requirements differ depending on how many patients were affected by the incident. Breaches that affected 500 or more patients should have been reported within 60 days of discovering the incident to the HHS. All smaller breaches that affected less than 500 patients, and occurred in 2021, must be reported to the HHS by March 1, 2022.
The HHS states on their site, “The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link.”
However, regardless of the size of the breach, affected patients must be informed of the incident within 60 days of discovery. Patients must be mailed breach notification letters that discuss the details of the breach, and advise patients on how to monitor their information.
What Information Does the HIPAA Breach Notification Form Ask?
In the HIPAA Breach Notification Form, you will be asked a series of questions including:
- Are you a covered entity or business associate?
- How many patients did the breach affect?
- When did the breach occur?
- What type of incident occurred (i.e. hacking, unauthorized access to PHI, etc.)?
A full list of the questions you will need to answer when reporting a PHI breach can be found here.
Make Sure You Don’t Miss Important HIPAA Deadlines
The HIPAA Breach Notification deadline is just one of many HIPAA deadlines. Although the Breach Notification deadline is the most tangible, with specific breach submission dates that must be met, there are other important HIPAA obligations to keep in mind. This includes annual security risk assessments, employee training, and reviewing of your HIPAA policies and procedures.
All of these deadlines can be difficult to keep track of, so what if you didn’t have to do it on your own? Compliancy Group makes HIPAA compliance tracking easy so that you never miss an important HIPAA deadline. Our simplified software solution stores all of your HIPAA documentation in a centralized location, while your dedicated Compliance Coach keeps your HIPAA compliance on track.
Find out more about how we can help you become HIPAA compliant, and maintain your compliance!
