If you are a covered entity and have experienced the loss or theft or accidental disclosure of unsecured or unencrypted Protected Health Information (PHI), you have most likely had a HIPAA Breach. As a covered entity you must undergo specific breach notification procedures as per HIPAA law, if you discover a breach of unsecured protected health information. You may need to invoke your incident response plan and involve your attorney depending on the size and nature of the breach.
Your obligations for breach notification to the secretary differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If you are unsure how many individuals are affected at the time of submission, provide an estimate. If the breach affects 500 or more individuals, you need to report the breach to the Secretary no later than 60 days of discovering the breach.
You may use this link to submit the notice to the Secretary of HHS: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
Once HHS receives your breach notification, your information along with some information of the breach will be published on the HHS Breach Portal, also known as the "Wall of Shame". The Office for Civil Rights (OCR) will then open an investigation.
If you discover additional information, submit updates as necessary. If only one option is available in a submission category you should pick the best option, and may provide additional details in the free text portion of the submission.
If you discover additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, you may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after submitting the initial breach report.
What if I don’t have the contact information for Affected Individuals?
If the Breach Affects 500 or More Individuals:
3. If a breach of unsecured protected health information affects 500 or more individuals, you must notify the Secretary of HHS of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. You must submit the notice electronically by clicking on the link below and completing all the required fields on the breach notification form.
If the breach affects 500 or more individuals, you need to report the breach to prominent media outlets in the areas where affected or potentially affected individuals reside. This helps inform all breach victims of the possibility of the exposure of their protected health information.
If you do not have up-to-date contact information or addresses of 10 or more affected individuals, then you need to update your website with a notice of the breach. A link to the breach notice must be prominently visible on your home page.
If a breach of unsecured protected health information affects fewer than 500 individuals, you must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (You are not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; you may report such breaches at the time they are discovered.) You may report all your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.