HHS posted instructions this week for submitting a privacy or security breach of protected health information (PHI) to the secretary of HHS.
The instructions come a little more than a month after HHS released final guidance on breach notification and the acceptable conditions for covered entities and business associates to encrypt and destroy patient records in order to prevent breaches of PHI.
The breach notification regulations took effect September 23, but covered entities and business associates (BAs) need not worry about HHS enforcement until February 22, 2010.
Surely, the form released this week is one your organization wants to avoid. However, it's a good time to look at its requirements. Covered entities and their BAs should be well under way constructing a breach notification process, and it's good to know what HHS wants in this form.
If a breach affects 500 or more individuals, a covered entity must provide the secretary with notice without "unreasonable delay" and in no case later than 60 days from the breach discovery. The notice must be submitted electronically by using this link with completed information.
The same form will be used for breaches of fewer than 500. However, covered entities must provide notice to the secretary on those breaches only annually. (All notifications of these breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred).
HHS' form includes the following sections:
- Section 1 - Covered Entity. Includes basics like name, address, type of covered entity.
- Section 2 –Business Associate. Same as Section 1, but if the breach happened at a BA's facility.
- Section 3 –Breach. This includes:
- Date of breach
- Date of discovery
- Number of individuals affected
- Type of breach (theft, loss, improper disposal)
- Location of breach information
- Type of PHI involved
- Description of breach
- Safeguards in place prior to breach
- Section 4 – Notice of Breach and Actions Taken. This includes actions your organization took in response to the breach (security/privacy safeguards, mitigation, sanctions, policies, and procedures).
- Section 5 – Attestation. This is verification the information your organization submitted is true and a reminder: "OCR may be required to release information provided in your breach notification."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says he got an error message when testing the form.
"I am hoping that whoever is managing the form considers installing some icons where people can click to get ‘help' on the form to avoid getting into a submit-error message-resubmit loop like the one I fell into without any specific directions or guidance on how to fix the error on the form," he says.
HHS' breach notification provisions include:
- Notice to patients of breaches "without reasonable delay" within 60 days
- Notice to covered entities by BAs when BAs discover a breach
- Notice to "prominent media outlets" on breaches of more than 500 individuals
- Notice to "next of kin" on breaches of patients who are deceased
- Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
- Annual notice to the Secretary of HHS of breaches of less than 500 of "unsecured PHI" that pose a significant financial risk or other harm to the individual, such as reputation