[BreachExchange] HIPAA Small Breach Notifications Due to OCR March 1

[Audrey McNeil]

http://www.natlawreview.com/article/hipaa-small-breach-
notifications-due-to-ocr-march-1

Covered entities have until March 1, 2017 to submit to the U.S. Department
of Health and Human Services Office for Civil Rights (OCR) breach
notification for “small” breaches of unsecured protected health information
that were discovered in calendar year 2016.

Breach Notification Requirements

HIPAA requires covered entities to provide breach notification to affected
individuals without unreasonable delay and in no case later than 60
calendar days after discovery of the breach. Entities must also report
small breaches (i.e., those breaches involving fewer than 500 individuals)
to OCR no later than 60 days after the end of each calendar year. This
year, notifications of small breaches are due no later than March 1, 2017.

If covered entities have delegated breach reporting obligations to business
associates (or any other entity), such business associates must meet this
OCR notification deadline. Otherwise, business associates fulfill their
breach reporting obligations by reporting directly to the covered entity.

Notification Process

Covered Entities should submit notice for each small breach online via
OCR’s breach portal. The breach portal requires a separate fillable report
for each breach rather than a simple upload of the covered entities’ breach
logs.

Covered entities should expect to move through a somewhat timely and
detailed process. As such, covered entities should not wait until March 1
to begin preparing notifications. Instead, covered entities should
designate a person who is responsible for notifications and verify that
individual’s availability and capacity to complete the reports in advance
of the March 1 deadline. We also recommend that entities prepare the
contents of the reports in advance so that any additional appropriate
people (e.g., business leaders, privacy/security officers, legal counsel)
can review the report prior to submission. Covered entities can collect and
track the detailed information required in these breach portal reports
during the calendar year to avoid a lengthy OCR notification process and to
avoid missing any pertinent information.

Once reports are submitted, covered entities should print each report and a
copy of the submission confirmation to maintain documentation of timely
notification to OCR. Covered entities should also continue to maintain
supporting materials for each breach, as breach notifications can lead to
OCR investigations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170221/6159614d/attachment.html>