HIPAA/HITECH Data Breach Reports: Incidents Involving 500 Or Less To Be Reported By End Of February.
The site jdsupra.com has a short but urgent observation that February is the month when all HIPAA covered-entities must report any incidents which involved 500 or less PHI data breaches. Again, a stark reminder that if you are a covered entity, it pays in the long run to use drive encryption software like AlertBoot.
More than 500 Affected
The “HITECH Interim Final Rule for Breach Notification for Unsecured Protected Health Information” stipulates that HIPAA covered entities must report a data breach to the Department of Health and Human Services without undue delay if it involves 500 or more people.
This requirement is exempted if the PHI data breach was nullified via the use of encryption software. While neither HIPAA nor HITECH codifies it directly, an entry in the Federal Register clarifies the situation (my emphasis):
…if a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered ‘‘unsecured protected health information’’ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals. On the other hand, if a covered entity has decided to use a method other than encryption or an encryption algorithm that is not specified in this guidance to safeguard protected health information, then although that covered entity may be in compliance with the Security Rule, following a breach of this information, the covered entity would have to provide breach notification to affected individuals. [Federal Register Vol.74, No.162]
But what about incidents where encryption is not used and less than 500 people are affected?
Less than 500 Affected
If a data breach involves less than 500 patients, then it and any other similar instances can be consolidated into one report to be sent to the HHS at the “end of the year.” The end of the year is a misnomer because it’s really 60 calendar days after the new year has begun. In other words, by the end of February of each year, a covered entity must file a “data breach that affected 500 or less” report.
The report is done electronically from the hhs.gov site. Follow this link.