Health Information Compliance Alert

With violations on the rise, the feds’ offering simplifies disclosure.

As the number of large-scale HIPAA breaches is around 175 with more added daily, both providers and consumers need easier access for reporting and accessing information. A new online portal that is easy-to-use, updated, and focused on the largest impacts over the last 24 months helps to refine data for research and disclosure.

“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” said HHS Secretary Tom Price, MD, in a press release. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”

Remember These Specifics on the Who, How, When, and Why of Breach Disclosure

If you uncover a HIPAA breach in your office, this is what you need to remember when reporting the violation to the HHS Office for Civil Rights (OCR).

Breaches that include more than 500 individuals:

• “A covered entity must notify the secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach,” the HHS Breach Notification guidancesays.
• You must file the breach notification electronically, and all information on the forms must be complete and comprehensive regarding the breach.
• You must notify the media of the breach.
• You must alert affected individuals to the loss of their protected health information (PHI).

Breaches that include fewer than 500 individuals:

• The covered entity must alert the HHS secretary of the breach within 60 days of the calendar year in which the breach occurred.
• You must file the breach notification electronically, but you can submit the breach notifications on the same day — even if they occur on different days and concern different issues.
• You must alert individuals affected by the breach.

Here’s How the New Option Will Help with the Process

The revamped HIPAA Breach Reporting Tool (HBRT) allows for greater transparency for provider contacts, hospitals, and consumers. The streamlined website shows only the largest breaches from the last 24 months, archiving older breaches from past years and detailing their resolutions on the site, the release says. A consumer help section addresses patients’ concerns about lost PHI with links on how to rectify and verify information as well.

The HBRT still includes mainstays from its original 2009 format mandated in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The following categories are part of each breach description on the HBRT, OCR notes:

• name of the entity;
• state where the entity is located;
• number of individuals affected by the breach;
• date of the breach;
• type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and
• location of the breached information (e.g., laptop, paper records, desktop computer).

Federal take: “The HBRT provides health care organizations and consumers with the ability to more easily review breaches reported to OCR,” said Roger Severino, Director of the OCR. “Furthermore, greater access to timely information strengthens consumer trust and transparency — qualities central to the Administration’s focus on a more innovative and effective government.”

Resource: To review the HHS release on the HIPAA Breach Reporting Tool, visit https://www.hhs.gov/about/news/2017/07/25/hhs-unveils-improved-web-tool-highlight-recent-breaches-health-information.html.