Little more than one month after the HIPAA breach notification regulations became effective (September 23, 2009), covered entities (health care providers, health plans) and their business associates are struggling with the effects of these new rules. Many are asking:
- What is a breach?
- Do we have to notify in all cases, what are the exceptions?
- Who do we notify?
- Do we have to notify the government?
- Do we have to modify our business associate agreements?
- Do we have to create, update our policies and procedures?
Indeed, it is important to learn about these issues before a breach happens. However, if a reportable breaches happens, covered entities will need to know how and when to notify the Department of Health and Human Services (HHS). For breaches involving 500 or more individuals, the covered entity must notify HHS at the same time as the affected individuals. For breaches involving fewer than 500 individuals, the covered entity must maintain a log of the breaches during the calendar year and report them to the Secretary within 60 days following the end of that year.
HHS established a website for reporting breaches, with separate links for immediate and annual notifications. Note that in addition to gathering information specific to the breach, both forms ask about the safeguards in place prior to the breach and steps taken following the breach. Also, the instructions require covered entities to complete a separate on-line form for each breach.
Remember: Breaches triggering a notification requirement under HIPAA also may require notice under state law, including notice to certain state agencies and officials.