Updated OCR Breach Portal Requires Disclosing Compliance Gaps

Hhs-logo

The HITECH Breach Notification Rule requires HIPAA covered entities to report breaches of unsecured protected health information (PHI) to the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS). Under the Breach Notification Rule an unauthorized use or disclosure of PHI by a covered entity or their business associate is presumed to be a breach unless the organization can demonstrate through a risk assessment that there is a low probability that the confidentiality of the information was compromised.

The HITECH Act defines “unsecured Protected Health Information” as PHI that is not secured through the use of technologies or methodologies, as specified in guidance by the Secretary of HHS, that render the PHI unusable, unreadable, or indecipherable to unauthorized individuals. In April 2009, HHS issued guidance indicating that in order for PHI to be secured, it must be encrypted or destroyed according to standards established by the National Institute of Standards and Technology.

The Breach Notification Rule requires a covered entity to notify HHS following the discovery of a breach of unsecured protected health information. With respect to breaches involving 500 or more individuals, HHS requires notification be sent concurrently with the notification sent to the individual (i.e., without unreasonable delay but in no case later than 60 calendar days following discovery of a breach). The rule further requires that the notifications to the government be provided through the HHS website.

However, OCR now requires the same level of specific detail for small breaches as required for large breaches when reporting them to HHS. For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to maintain a log or other documentation of such breaches and they must submit information annually to HHS for breaches occurring during the preceding calendar year. They must report it no later than 60 days after the end of each calendar year. As with notification of the larger breaches, the rule further requires that the notifications to the government be provided through the HHS website.

What is clear from OCR’s changes to the breach reporting portal, as well as from recent enforcement actions and resolution agreements, is that the stakes are significantly higher for covered entities, business associates, and their subcontractors. It is not enough to have adopted a Notice of Privacy Practices and HIPAA-compliant policies and procedures; rather, HIPAA compliance must become engrained in these organizations’ respective cultures and day-to-day business practices. Nor may entities that timely report a privacy or security breach resulting from a stolen laptop realistically believe that they can avoid investigation and potential civil monetary penalties. Now, HHS is looking behind the stolen laptop (the symptom) to identify if sufficient attention has been paid to HIPAA privacy and security requirements, as well as reviewing the mechanisms that could have brought the risk to light sooner and potentially prevented the theft in a timely manner (the cause).