Question: We identified a small data breach in our system that impacted 97 patients. Because the breach was small and we contained it, do we still need to report it?
Tennessee Subscriber
Answer: Yes, you must report the breach to the Department of Health and Human Services (HHS) no matter the size. But when you uncover a HIPAA breach in your office, know that there are different timelines for reporting to the feds. The larger the breach, the shorter the turnaround time to report the details.
Here’s a basic breakdown of what you need to remember when reporting the violation to HHS.
For breaches that include more than 500 individuals:
- As a covered entity (CE), you “must notify the [HHS] Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach,” notes the HHS Office for Civil Rights (OCR) breach notification guidance.
- Your breach notification must be filed electronically; plus, the data you submit and all information on the required forms must be complete and cover all aspects of the breach.
- You must notify the media — and similarly to alerting the HHS Secretary, you must let the press know ASAP.
- You need to let the individuals know that their PHI was breached through first-class mail or in email within 60 days of the breach — if the impacted party has previously agreed to receive correspondences electronically, the OCR says.
Breaches that include fewer than 500 individuals:
- As the CE, you need to alert the HHS Secretary of the breach within 60 days of the calendar year in which the breach occurred.
- You need to submit your forms electronically. However, even if your HIPAA breaches are on different days and concern different issues, you can still submit them on the same day.
- The individuals whose PHI was affected by the breach must be notified by first-class mail or email, too — within 60 days of the breach.
Tip: Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business associate agreements (BAAs) that are compliant. The initial task of creating resources and office compliance protocols can be daunting, but it’s essential that you educate your staff and your business partners and set up a breach management plan.