How to Submit Notice of a Patient Information Breach
HHS posted instructions this week for submitting a privacy or security breach of protected health information (PHI) to the secretary of HHS.
The instructions come a little more than a month after HHS released final guidance on breach notification and the acceptable conditions for covered entities and business associates to encrypt and destroy patient records in order to prevent breaches of PHI.
The breach notification regulations took effect September 23, but covered entities and business associates (BAs) need not worry about HHS enforcement until February 22, 2010.
Surely, the form released this week is one your organization wants to avoid. However, it's a good time to look at its requirements. Covered entities and their BAs should be well under way constructing a breach notification process, and it's good to know what HHS wants in this form.
If a breach affects 500 or more individuals, a covered entity must provide the secretary with notice without "unreasonable delay" and in no case later than 60 days from the breach discovery. The notice must be submitted electronically by using this link with completed information.
The same form will be used for breaches of fewer than 500. However, covered entities must provide notice to the secretary on those breaches only annually. (All notifications of these breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred).
HHS' form includes the following sections:
- Section 1 - Covered Entity. Includes basics like name, address, type of covered entity.
- Section 2 –Business Associate. Same as Section 1, but if the breach happened at a BA's facility.
- Section 3 –Breach. This includes:
- Date of breach
- Date of discovery
- Number of individuals affected
- Type of breach (theft, loss, improper disposal)
- Location of breach information
- Type of PHI involved
- Description of breach
- Safeguards in place prior to breach
- Section 4 – Notice of Breach and Actions Taken. This includes actions your organization took in response to the breach (security/privacy safeguards, mitigation, sanctions, policies, and procedures).
- Section 5 – Attestation. This is verification the information your organization submitted is true and a reminder: "OCR may be required to release information provided in your breach notification."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says he got an error message when testing the form.
- Providers Lag as Consumers Set Agenda
- Look Beyond Nurse-Patient Ratios
- Reform Puts Vise Grips on Physicians
- Esther Dyson Launches Population Health Challenge
- Crisis Spurs Healthcare Payment Reform in Arkansas
- Hospital Groups Back NQF Report on Patient Sociodemographics
- NPP Demand Rising Under Value-Based Care Models
- Medicare Opt-Out a Viable Physician Strategy
- ICD-10 Delay Alters Provider, Vendor Prep
- Boston Marathon Bombing Yields Lessons for Hospitals