[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_opacity=”0.5″ border_style=”solid” padding_top=”0″ padding_bottom=”0″][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” hover_type=”none” link=”” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”left top” background_repeat=”no-repeat” border_size=”0″ border_color=”” border_style=”solid” border_position=”all” padding=”” dimension_margin=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”no”][fusion_text]

It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. For the 2016 calendar year the deadline for reporting breaches affecting fewer than 500 individuals is March 1, 2017

Since 2015, OCR requires specific information about a covered entity’s “under 500 breaches,” much like reporting of larger breaches. Each breach incident reported through the OCR breach portal requires supplying information including details about when the breach incident was discovered, when notifications to individuals were made, the root causes of the breach incident and steps the covered entity has taken to mitigate another occurrence.

We recommend a strategic approach in the development of the information to be reported through the OCR portal. OCR will act on the information supplied by the covered entity, and it will influence the interest the agency takes in conducting a review of the incident. Providing inaccurate information about a breach or an organization’s mitigation efforts can lead to big problems. To give your organization a head start in developing its strategy in reporting through the OCR breach portal, we have prepared previews of the web pages from the HHS website. We also offer the following tips:

What is clear from OCR’s recent enforcement actions and resolution agreements is that the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in an organization’s culture and day-to-day business practices.

Nor may entities that timely report a privacy or security breach resulting from a stolen laptop realistically believe that they can avoid investigation and potential CMPs. Now, HHS is looking behind the stolen laptop (the symptom) to identify if sufficient attention has been paid to HIPAA privacy and security requirements and individuals affected by the incident have been notified in a timely manner, as well as reviewing the mechanisms that could have brought the risk to light sooner and potentially prevented the theft in a timely manner (the cause).

If you have questions about breach reporting requirements or the breach reporting portal, please contact us at advisory@cynergistek.com.