HHS posted instructions this week for submitting a privacy or security breach of protected health information (PHI) to the secretary of HHS.
The instructions come a little more than a month after HHS released final guidance on breach notification and the acceptable conditions for covered entities and business associates to encrypt and destroy patient records in order to prevent breaches of PHI.
The breach notification regulations took effect September 23, but covered entities and business associates (BAs) need not worry about HHS enforcement until February 22, 2010.
Surely, the form released this week is one your organization wants to avoid. However, it's a good time to look at its requirements. Covered entities and their BAs should be well under way constructing a breach notification process, and it's good to know what HHS wants in this form.
If a breach affects 500 or more individuals, a covered entity must provide the secretary with notice without "unreasonable delay" and in no case later than 60 days from the breach discovery. The notice must be submitted electronically by using this link with completed information.
The same form will be used for breaches of fewer than 500. However, covered entities must provide notice to the secretary on those breaches only annually. (All notifications of these breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred).
HHS' form includes the following sections:
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says he got an error message when testing the form.