If in 2019 you had a HIPAA breach that affected fewer than 500 individuals, you must report that to the US Department of Health and Human Services (HHS) by Saturday, February 29, 2020.
Not sure if you’ve had an incident that requires reporting? Start by knowing that every breach must be logged as it happens. This is regardless of how minor it was, or how few individuals were affected. If a breach affects fewer than 500 people, you have two options: You can report these breaches as they occur, or you can collect details and report them to the Secretary of Health and Human Services within 60 days of the end of (calendar) year.
If the breach is involving Covered Entities (CE) or Business Associates (BA), the Secretary of HHS must be notified by completing and submitting a breach report on the HHS website. While additional information can be provided later, an estimate of individuals is necessary upon initial reporting. A CE or BA can report all incidences that affect 500 or fewer on a single date, but a separate notice must be completed for each breach incident.
To be clear, reporting a breach does NOT mean HHS will penalize you. The process of logging your breaches is a great way to demonstrate that you are doing your best to adhere to the laws and regulations in place. You are acknowledging these possible compromises and indicating that you are doing your best to take action and measure against it happening again. The time to be concerned about fines and penalties is if you are on the wrong side of that behavior and simply neglect to report them – in other words, you aren’t cooperating or complying with the governing body. A definite no-no. Logging also gives you credibility when it comes to your employees being familiar with the process – an important part of HIPAA and one that will benefit you should an audit occur.
But What If I Don’t Know How?
No time better than the present to learn! This is a great way to become familiar with the guidelines and establish a reporting process for your organization. This article provides additional information on reporting requirements.
It Wasn’t Me
Your Business Associate logged a breach – are you responsible? Not if you’ve identified them as the party responsible for reporting. This is another way that having written policies and procedures can cover your assets and organization. Be sure to review the breach that they submit and file to ensure it contains accurate information that pertains to your involvement or way of being affected.
The February 29th deadline is a great reason to check in with them and ask if they have filed any breach reports.
HIPAA is here to protect you as a business and as a patient. Yes, there is a lot to it, but once in place, it can do wonders for your credibility, confidence in surviving a breach, and confidence in your patients that you’re doing right by them.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.
Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE