With OCR’s recent announcement of its first enforcement action for lack of timely breach notification and its increased focus on small breaches, the upcoming annual reporting deadline for small breaches takes on increased significance. HIPAA covered entities should ensure that they do not miss the March 1, 2017, reporting deadline for breaches of unsecured protected health information that were discovered in 2016 and affected fewer than 500 individuals.
Background & Reporting Requirement
In addition to requiring notification to affected individuals following a breach of unsecured protected health information (“PHI”), HIPAA requires covered entities to notify the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) of such breaches as well. For breaches that affect 500 or more individuals, covered entities are required to report the breach to the Secretary no later than 60 days following discovery. In contrast, for breaches that affect fewer than 500 individuals, a covered entity must maintain a log or other documentation of the breaches but has the option to wait to notify the Secretary until no later than 60 days after the end of the calendar year in which the breaches were discovered.
For breaches of unsecured PHI discovered in 2016 and affecting fewer than 500 individuals, the deadline to notify the Secretary is March 1, 2017.
Note that a covered entity is not required to wait until the deadline to report small breaches, and may report them prior to the deadline after such breaches are discovered. A breach is considered “discovered” as of the first day on which the breach is known to any workforce member or agent of the covered entity (other than the person committing the breach), or would have been known by exercising reasonable diligence. Covered entities are also responsible for logging and notifying the Secretary of breaches that are discovered by their business associates and reported to the covered entity.
Covered entities must report all breaches via the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) online Breach Portal. The portal may be used to submit an “Initial Breach Report” or an “Addendum to Previous Report.” Thus, covered entities should be prepared to submit—at a minimum—initial notice to the Secretary through the portal no later than March 1, 2017, of any breach of unsecured PHI discovered in 2016 which affected fewer than 500 individuals.
OCR Enforcement: 2017 Resolution Agreement for Untimely Breach Report and Increased Focus on Small Breaches
In the first resolution agreement announced in 2017, Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. This resolution agreement marks the first HIPAA enforcement action for lack of timely breach notification. Accordingly, covered entities should be aware of the significance that OCR places on timely breach reporting and ensure that all required breach reports are filed within the time required. (For more detail on and analysis of this recent resolution agreement, please click here. )
In addition, OCR Regional Offices investigate reported breaches. The Regional Offices investigate all breaches involving the PHI of 500 or more individuals, and have historically investigated breaches affecting fewer than 500 individuals less often at their discretion. However, in August 2016, OCR announced that it has increased its review of smaller breaches. One of the factors that OCR indicated that Regional Offices may consider in determining which small breaches to investigate is “the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.” In other words, OCR may choose to investigate a covered entity based on a lack of the expected number of breach reports as well as breach reports actually filed.
Taken together, the recent resolution agreement and OCR’s focus on small breaches—including attention to whether breach reports are being submitted as expected—underscore the importance of reporting breaches when required.