Friday, February 22, 2019

HIPAA Breach Reporting Annual Deadline - March 1, 2019

HIPAA covered entities and their business associates are required provide notification following a breach of unsecured protected health information (PHI).


The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The notice must be sent to the involved individuals as soon as reasonably possible but no later than 60 days after discovery of the breach. (45 CFR § 164.404).

The timing of notice to HHS depends on the number of persons affected by the breach. If the breach involves 500 or more persons, the covered entity must notify HHS at the same time it notifies the individuals and it must also be reported to the media. If the breach involves less than 500 persons, the covered entity must report the breach to HHS no later than 60 days after the end of the calendar year in which the breach(s) were discovered (i.e. March 1, 2019 for breaches that occurred during 2018).

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.”
  1. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  2. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  3. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Documentation. A covered entity is required to maintain documentation concerning its breach analysis and/or reporting for six years. (45 CFR §§ 164.414 and 164.530(j)).

Accounting Logs. Whether or not the breach is reportable to the individual or HHS, covered entities and business associates are still required to record impermissible disclosures in their accounting of disclosure log(s) as required by 45 CFR § 164.528. The log must record the date of the disclosure; name and address of the entity who received the PHI; a brief description of the PHI disclosed; and a brief statement of the reason for the disclosure. (45 CFR § 164.528(b)). If requested, the covered entity must disclose the log to the individual or the individual’s personal representative within 60 days. (Id. at 164.528(c)).

Avoid Reports by Avoiding Breaches. Of course, it is better to avoid a breach rather than respond to one. To that end, covered entities and business associates should ensure that they practice preventive medicine by, among other things, encrypting PHI when possible and implementing other required policies and administrative, technical, and physical safeguards to protect PHI. They should train and regularly remind workforce members concerning HIPAA obligations, periodically monitor compliance, and respond promptly to correct weaknesses.

Submitting a Notice of Breach to the HHS Secretary:

If you have any questions, you may call HHS OCR toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to OCRPrivacy@hhs.gov.



Important Note: Remember that while it may be relatively unlikely that not reporting small breaches will automatically invite an HHS investigation, if a non-reported breach or a trend of violations IS discovered, this could lead to a judgment of "Willful-Neglect", magnifying penalties and fines dramatically


Healthcare Compliance Solutions Inc.


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

4 comments:

  1. One of the best things you can do is get an HSA, it will make things easier and reduce your expenses from all the costs of hospitalization and premium health care. This source will surely help you out

    ReplyDelete
  2. I have being on blog Sites for a while now and today I felt like I should share my story because I was a victim too. I had HIV for 6 years and i never thought I would ever get a cure I had and this made it impossible for me to get married to the man I was supposed to get married to even after 2 years of relationship he broke up with me when he finds out I was HIV positive. So I got to know about Dr. Itua on Blog Site who treated someone and the person shared a story of how she got a cured and let her contact details, I contacted Dr. Itua and he actually confirmed it and I decided to give a try too and use his herbal medicine that was how my burden ended completely. My son will be 2 soon and I am grateful to God and thankful to his medicine too.Dr Itua Can As Well Cure The Following Disease…Alzheimer’s disease,Bechet’s disease,Crohn’s disease,Parkinson's disease,Schizophrenia,Lung Cancer,Breast Cancer,Colo-Rectal Cancer,Blood Cancer,Prostate Cancer,siva.Fatal Familial Insomnia Factor V Leiden Mutation ,Epilepsy Dupuytren's disease,Desmoplastic small-round-cell tumor Diabetes ,Coeliac disease,Creutzfeldt–Jakob disease,Cerebral Amyloid Angiopathy, Ataxia,Arthritis,Amyotrophic Lateral Scoliosis,Fibromyalgia,Fluoroquinolone Toxicity
    Syndrome Fibrodysplasia Ossificans ProgresSclerosis,Seizures,Alzheimer's disease,Adrenocortical carcinoma.Asthma,Allergic diseases.Hiv_ Aids,Herpe ,Copd,Glaucoma., Cataracts,Macular degeneration,Cardiovascular disease,Lung disease.Enlarged prostate,Osteoporosis.Alzheimer's disease,
    Dementia.Lupus.
    ,Cushing’s disease,Heart failure,Multiple Sclerosis,Hypertension,Colo_Rectal Cancer,Lyme Disease,Blood Cancer,Brain Cancer,Breast Cancer,Lung Cancer,Kidney Cancer, HIV, Herpes,Hepatitis B, Liver Inflammatory,Diabetes,Fibroid, Get Your Ex Back, If you have (A just reach him on drituaherbalcenter@gmail.com Or Whatsapp Number.+2348149277967)He can also advise you on how to handle some marital's issues. He's a good man. 

    ReplyDelete