HIPAA rules require Covered Entities (CE) and their Business Associates (BA) to provide notification following a breach of unsecured protected health information (PHI), which is information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
To submit your breach report via the HHS website, go to https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
It’s All About the Documentation
The burden of demonstrating that disclosure of PHI constituted a breach, or not, and that all required notifications were provided rests squarely on the shoulders of the CE and/or BA. Case by case documentation of unauthorized disclosures must indicate (when applicable) that all required notifications were made. If notification was not required, then documentation must exist to show that there was an assessment of risk that showed a low probability that PHI was compromised.
Things to keep in mind:
• The nature and extent of the PHI involved and the likelihood of re-identification
• Whether the PHI was acquired or viewed, and by whom; and,
• The extent to which the risk to the PHI has been mitigated.
Ultimately, documentation is a must. To ensure documentation is not missed, CE’s and BA’s should maintain written policies/procedures, proof of workforce training that includes items like annual HIPAA and Security training, Certified Release of Information Specialist (CRIS) testing and certification.
Know the Exceptions:
There are three exceptions that do not require reporting:
- Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith and within the scope of authority*.
- Inadvertent disclosure of PHI by a person authorized to access at a CE or BA to another person authorized to access PHI at the CE or BA, or organized health care arrangement in which the covered entity participates*.
*In both cases, the information cannot be further used or disclosed in a manner not permitted.
- If the CE or BA has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Note: CE’s and BA’s must only provide the required notifications if the breach involved unsecured protected health information.
Mitigating Your Risk of Breach in 2020 and Beyond
2019 has ended, and you know what you need to complete by the February 29th deadline. It’s time now to focus on mitigating your exposure for risk in 2020. Partnering with an expert in secure PHI transfer like RRS Medical is your best option. RRS Medical provides our clients and the healthcare community at large with information that supports knowledge and access to the most secure processes. Our technology is designed to increase automation, reduce errors while increasing response and turnaround times. Here are a few benefits to consider.
1. RRS Medical is 100% focused on secure PHI transfer technology and solutions
2. 100% CRIS certified staff
3. Annual HIPAA training and Security training
4. Ongoing client education and communication
5. Robust compliance programs and support
Click the link below to view the HIPAA Breach Decision Tree, and be ready for your next required yearly notification of breaches!
Reference: HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414. See full rule below for patient and media reporting requirements at time of suspected breach along with more detailed information.
View the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html