Tip: Make timely breach reporting a practice priority. With all that’s going on in healthcare, you may have forgotten about HIPAA breach reporting. Unfortunately, the pandemic hasn’t stopped privacy issues, data security incidents, or mobile device meltdowns; in fact, it has magnified them. What do these things have in common? They often lead to HIPAA breaches for covered entities (CEs) that need to be reported. And the sooner you alert the Department of Health and Human Services (HHS) Secretary to the loss of protected health information (PHI) the better — don’t stew over the breach or you will suffer the consequences. Refresher: “According to the Privacy Rule, a breach is any acquisition, access, use, or disclosure in violation of the privacy rule — and that covers a lot,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont. If you uncover a HIPAA breach in your office, know that there are different timelines for reporting to HHS. The larger the breach the shorter the turnaround time to let the feds know the details. Here’s a basic breakdown of what you need to remember when reporting the violation to HHS. Breaches that include more than 500 individuals: Breaches that include fewer than 500 individuals: No matter the size or scope of the incident, all HIPAA breaches are reported through the OCR breach portal at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true. Remember: “Each breach must be reported, even if it affected as few as one individual,” warn Dona and Pool. Tip: Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up BA agreements that are compliant. The initial task of creating resources and office compliance protocols can be daunting, but it’s essential that you educate your staff and your BAs, setting up a breach management plan. “The portal permits a business associate [BA] to report its own breach on behalf of the applicable covered entity, but the reporting obligation ultimately rests with the covered entity,” acknowledge Dona and Pool. However, as the CE, you may want to “retain the reporting responsibility” to avoid problems, delays, and fines, they suggest. Resource: Review OCR guidance on breach reporting at www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.