Have you had a HIPAA Breach? Here's how you report it.
If you are a covered entity and have experienced the loss or theft or accidental disclosure of unsecured or unencrypted Protected Health Information (PHI), you have most likely had a HIPAA Breach. As a covered entity you must undergo specific breach notification procedures as per HIPAA law, if you discover a breach of unsecured protected health information. You may need to invoke your incident response plan and involve your attorney depending on the size and nature of the breach.
Step 1- Notify the Secretary of Health and Human Services (HHS)
Your obligations for breach notification to the secretary differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If you are unsure how many individuals are affected at the time of submission, provide an estimate. If the breach affects 500 or more individuals, you need to report the breach to the Secretary no later than 60 days of discovering the breach.
You may use this link to submit the notice to the Secretary of HHS: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
Once HHS receives your breach notification, your information along with some information of the breach will be published on the HHS Breach Portal, also known as the "Wall of Shame". The Office for Civil Rights (OCR) will then open an investigation.
Step 2- Providing additional information after a breach has been reported
If you discover additional information, submit updates as necessary. If only one option is available in a submission category you should pick the best option, and may provide additional details in the free text portion of the submission.
If you discover additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, you may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after submitting the initial breach report.
Step 3- Notify the affected individuals
- It is your responsibility to notify each individual of the breach of their PHI, either by notifying them via first class mail, or if they have given permission, you may notify them via email. This notice must include a description of the breach, including the information involved in the breach, steps the individual can take to protect themselves and a summary of the steps you are taking to investigate the breach and what you are doing to prevent future breaches.
What if I don’t have the contact information for Affected Individuals?
- If contact information for 10 or more individuals is incorrect, you must provide a public notice or media notification in the residential area of those affected individuals, providing them with an 800 number they can call to find out if their information was included in the breach. This number must remain active for a minimum of 90 days. These individual notices may be substituted by providing notice on your website for a minimum of 90 days or by issuing a media statement notifying the public of the breach.
If the Breach Affects 500 or More Individuals:
3. If a breach of unsecured protected health information affects 500 or more individuals, you must notify the Secretary of HHS of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. You must submit the notice electronically by clicking on the link below and completing all the required fields on the breach notification form.
Step 4- Notify the media and update your website
If the breach affects 500 or more individuals, you need to report the breach to prominent media outlets in the areas where affected or potentially affected individuals reside. This helps inform all breach victims of the possibility of the exposure of their protected health information.
If you do not have up-to-date contact information or addresses of 10 or more affected individuals, then you need to update your website with a notice of the breach. A link to the breach notice must be prominently visible on your home page.
Step 5- Notify HHS annually of breaches affecting fewer than 500 individuals
If a breach of unsecured protected health information affects fewer than 500 individuals, you must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (You are not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; you may report such breaches at the time they are discovered.) You may report all your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.
Other considerations
- Be aware that your state may have more stringent breach notification procedures compared to the Federal Government.
- Be cognizant of the timeline of breach notification; delays in notification can cause fines and penalties to be levied.
- Business Associates are also subject to the Breach Notification Rule. Business Associates must inform covered entities within 60 days of discovering the breach. Business Associates must comply with requirements specified in their Business Associate Agreement with the covered entity.
- Contact HHS OCR with questions toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to OCRPrivacy@hhs.gov
