Death, Taxes … and Breach Reporting

It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. For the 2016 calendar year the deadline for reporting breaches affecting fewer than 500 individuals is March 1, 2017

Since 2015, OCR requires specific information about a covered entity’s “under 500 breaches,” much like reporting of larger breaches. Each breach incident reported through the OCR breach portal requires supplying information including details about when the breach incident was discovered, when notifications to individuals were made, the root causes of the breach incident and steps the covered entity has taken to mitigate another occurrence.

We recommend a strategic approach in the development of the information to be reported through the OCR portal. OCR will act on the information supplied by the covered entity, and it will influence the interest the agency takes in conducting a review of the incident. Providing inaccurate information about a breach or an organization’s mitigation efforts can lead to big problems. To give your organization a head start in developing its strategy in reporting through the OCR breach portal, we have prepared previews of the web pages from the HHS website. We also offer the following tips:

  • Pay attention that the date on which the breach is discovered is no more than 60 days from when individuals are notified. The Breach Notification Rule requires a covered entity send notification to the individual(s) whose PHI was compromised no later than 60 calendar days following discovery of a breach. If there is more than a 60 day delay in notifications, be prepared to explain why.
  • Keep the explanation of how the breach occurred short, simple and to the point. Sometimes organizations provide a detailed explanation that can be perceived as indicating poor compliance practices or systemic failures to safeguard PHI when in actuality the incident can be shown to have been an isolated occurrence. Better that the initial breach report be a short summary of the facts and save the minute details for any follow-up review conducted by OCR.
  • When reporting to OCR steps the organization has taken to fix compliance problems or safeguards put into place that would address the root cause of the breach incident, ensure that the mitigation activities can be demonstrated or documented through the risk management plan.

What is clear from OCR’s recent enforcement actions and resolution agreements is that the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in an organization’s culture and day-to-day business practices.

Nor may entities that timely report a privacy or security breach resulting from a stolen laptop realistically believe that they can avoid investigation and potential CMPs. Now, HHS is looking behind the stolen laptop (the symptom) to identify if sufficient attention has been paid to HIPAA privacy and security requirements and individuals affected by the incident have been notified in a timely manner, as well as reviewing the mechanisms that could have brought the risk to light sooner and potentially prevented the theft in a timely manner (the cause).

If you have questions about breach reporting requirements or the breach reporting portal, please contact us at

February 14th, 2017|

About the Author: