The March 1st HIPAA Breach Report Deadline is fast approaching.
According to HIPAA regulation, health care providers have 60 days from the end of the calendar year to report breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
The rule here applies to Covered Entities (CEs) such as doctors, insurance companies, and clearing houses that have had breaches affecting fewer than 500 individuals. This is considered a Minor Breach. Meaningful Breaches–those affecting more than 500 individuals–must be reported within 60 days of the breach itself.
All minor breaches must be reported by this March 1st deadline.
OCR has a dedicated site that CEs can visit to report these breaches. Below, we’ve included some information for behavioral health specialists about what OCR is looking for and to whom this deadline applies.
Who Needs to Report?
HIPAA regulation defines a CE as any health plan, health care clearinghouse, or health care provider that transmits “any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” This includes, for the most part, MDs, clinics, psychologists, therapists, nursing homes, and behavioral health specialists that handle PHI.
If your organization has had a data breach of any size in 2016, and you meet any of the above requirements, you must visit OCR’s site to report it before March 1st.
What Needs to be Reported and When?
HHS has a few requirements that determine what should be reported and when. Typically, it’s decided by the number of individuals who were affected by a given breach.
- Individuals affected by a breach should be notified within 60 days of the discovery of the breach.
- CEs must document minor breaches of fewer than 500 individuals’ unsecured PHI and report them to HHS annually. This annual report needs to be given to HHS within 60 days of the end of the previous calendar year–this is the deadline that’s approaching on March 1st.
- CEs must document meaningful breaches of more than 500 individuals’ unsecured PHI and report them to HHS within 60 days of the discovery of the breach. State media outlets need to be notified as well if the breach has affected 500 of more residents of a single state no later than 60 days of the discovery of the breach.
In the aftermath of OCR’s first fine in the history of HIPAA enforcement for improper compliance with the Breach Notification Rule, behavioral health specialists and health care professionals of all varieties should ensure that they report their minor breaches to OCR by this March 1st deadline.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, see these upcoming HIPAA educational webinars.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.