An important HIPAA deadline is coming up that behavioral health professionals must be aware of: the HIPAA Breach Notification Rule deadline. Hopefully, you have already reported more significant breaches that affected 500 or more patients. However, if your practice was breached and the incident involved less than 500 patients, now is the time to report it.
There are several types of incidents that are considered reportable breaches. Reportable breaches include:
- Hacking incidents
- Unauthorized access or disclosure of protected health information (PHI)
- Theft or loss of paper records or films
- Theft or loss of an unencrypted device with access to electronic PHI
- Improper disposal of medical records
When is the HIPAA Breach Notification Rule Deadline?
The HIPAA Breach Notification Rule dictates specific reporting deadlines for unsecured PHI incidents. The deadline to report breaches that affected less than 500 patients in 2021 is March 1, 2022. It is essential to keep track of all minor breaches within your practice throughout the calendar year so that breach reporting is timely, including breaches that affected just one patient. However, breaches that affected 500 or more patients should have been reported within 60 days of discovery.
HIPAA Breach Notification Form
A form is completed on the HHS website to submit a breach notice to the Department of Health and Human Services (HHS). The HIPAA Breach Notification Form asks reporting entities to input information into several tabs, including general, contact, breach, a notice of breach and actions taken, attestation, and summary. Each tab on the HIPAA Breach Notification Form asks a series of questions, including whether you are a covered entity or business associate, how many patients were affected by the breach, when the breach occurred, what type of breach occurred, etc. (for a complete list of the questions asked when reporting a PHI breach, please visit the HHS website).
Sample Breach Notification Letter
The March 1st deadline applies to reporting minor breaches to the HHS. However, reporting requirements for patients are stricter. Regardless of the size breach, breach notification letters must be mailed to affected patients within 60 days of discovery. If ten or more patients were not reachable by mail, a substitute breach notice must also be made available for 90 days on the organization’s website.
The HHS dictates specific information that must be included in patients’ breach notification letters.
- A brief description of the breach
- A description of the types of information involved in the breach
- The steps affected individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
- Contact information for the covered entity.
Below is a sample breach notification letter.
Dear [Patient Name],
I am writing you with important information about a recent breach of your personal information from [Organization Name]. We became aware of this breach on [Discovery Date], which occurred on or about [Breach Date].
The breach occurred as follow:
- Description: [Briefly describe the breach]
- Type(s) of Protected Health Information: [What information was potentially compromised in the breach, i.e., patient name, address, Social Security number, etc.]
- Individual Steps: [What patients should do to protect themselves, i.e., credit monitoring]
- Mitigation: [What the organization is doing to investigate the breach and how they are preventing similar incidents from occurring in the future]
Please contact [Compliance Officer Name] for more information at [phone number, email address].
This Article is Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!