As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis. The deadline for this report is Friday, March 1st. This reporting requirement is pursuant to the interim final rule on Breach Notification, the Omnibus HIPAA rule published in January does not impose any new requirements related to reporting of 2012 HIPAA breaches. Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here. This report needs to be filled out for each breach that occurred during the 2012 calendar year. For example, if a covered entity had a breach in March of 2012 affecting five individuals and another breach in August 2012 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example). To fill out this form covered entities will need to submit the following information about the breach:
- General information regarding the covered entity
- Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
- Date of the Breach
- Date of Discovery
- Approximate number of individuals affected by the Breach
- Type of Breach (i.e. theft, loss, unauthorized access, etc.)
- Location of breached information (i.e. laptop, e-mail, etc.)
- Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
- Description of the Breach
- Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
- Date individuals were notified of the Breach
- Whether substitute notice was required (this requirement is described in the rule)
- Whether media notice was required (this requirement is described in the rule)
- Actions taken in response to the Breach (sanctions, mitigation, etc.)
- Any additional actions taken
- Attestation
For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the interim final rule on Breach Notification Rule.
If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.