In August 2009, the Department of Health and Human Services (HHS) issued its interim final rule with regard to requirements for notification in the event of a breach of unsecured protected health information (PHI).
In August 2009, the Department of Health and Human Services (HHS) issued its interim final rule with regard to requirements for notification in the event of a breach of unsecured protected health information (PHI). Among other notification requirements (including notice to impacted individuals and in some cases notice to the media), the interim final rule requires covered entities (i.e. health plans, healthcare clearinghouses or certain health care providers) to provide notice to HHS of any breach of unsecured PHI:
- By maintaining a log of each breach involving less than 500 individuals and providing such log to HHS on an annual basis within 60 days after the end of the calendar year; or
- If the breach involves 500 or more individuals, the covered entity must notify HHS without unreasonable delay, but in no event later than 60 days from discovery of the breach.
The Secretary has now updated the HHS website with information on the breach notification rule. Covered entities are required to notify the Secretary of any breach of unsecured PHI by visiting the HHS web site and filling out and electronically submitting a breach report form. A separate form is required for breaches involving less than 500 individuals as opposed to breaches involving 500 or more individuals. Additionally, each breach impacting less than 500 individuals must be reported separately. HHS does not provide a mechanism to submit any of the reports in printed form or allow for the submission of a one-time annual report for all calendar year breaches involving less than 500 individuals.
The online breach report forms can be found at the following address: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
Additional information on the breach notification rule can be found in our previous Legal Alert, at http://www.fordharrison.com/shownews.aspx?show=5247. If you have any questions regarding the breach notification rule or other HIPAA issues, please contact the author of this Alert, Daniel T. Sulton at firstname.lastname@example.org or any member of our Employee Benefits Group.