HIPAA Legal Updates — Breach Reporting Requirements
By Sumita Saxena, Senior Consultant, The Verden Group
There might be some confusion regarding the breach reporting requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and further enforced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. A breach is considered any acquisition, access, use or disclosure of Protected Health Information (PHI) which compromises the security or privacy of the PHI. However, if the disclosed PHI has been rendered unusable, unreadable, or indecipherable to unauthorized individuals, an adequate risk assessment may determine that a sufficiently minimal or nonexistent risk is present, thereby excluding the event from the definition of a breach.
The most basic example of a breach occurs when one patient’s records are accidentally sent or disclosed to another patient or individual. While this may seem trivial in a circumstance in which the content disclosed is rather limited, physicians must be aware of how to identify a breach and understand their obligations with respect to reporting.
Every HIPAA breach is reportable; the differentiating factor in reporting is determined based on the number of individuals affected by the event. In instances where fewer than 500 individuals are affected by the breach, practices must maintain a system of logging or otherwise documenting these breaches that occur during the calendar year. Practices must then submit a detailed account of all such events to the Secretary of the U.S. Department of Health and Human Services (HHS), through the HHS Office for Civil Rights, no later than 60 days after the end of the calendar year. Immediate notification to the Office for Civil Rights is required in the event that a breach affects more than 500 individuals.
Recent OIG reports signal an upcoming increase in OCR activity and oversight of HIPAA covered entities, even in the absence of a breach.
On September 29th, the Office of Inspector General (OIG) in the U.S. Department of Health and Human Services (HHS) released two reports which reviewed the successes and shortcoming in the Office for Civil Rights’ (OCR) oversight of Health Insurance Portability and Accountability Act (HIPAA) compliance for covered entities. OCR is responsible for overseeing covered entities’ compliance with the HIPAA standards, which include the Breach Notification Rule, the Privacy Rule and the Security Rule. In one report, the OIG provided conclusions and recommendations from their study on covered entities’ compliance with the HIPAA Privacy Rule, while in the other report, the OIG provided conclusions and recommendations from their investigation of OCR’s follow-up on breaches of patient health information which are reported to OCR. In both studies, the OIG reached some similar conclusions. The guidance provided by these reports should be recognized by providers for what it is: harbingers of OCR’s likely future enforcement activity.
One of the key findings by the OIG likely to have a direct impact on providers: OCR will now proactively audit covered entities to monitor compliance with the Privacy Rule, as opposed to its traditional approach of initiating investigations as a result of complaints or breach reports. The fact that OCR has not been proactively auditing covered entities allows for some level of comfort for covered entities, as there is not a great concern that OCR will conduct an investigation of a covered entity unless a potential breach or violation were reported. It is likely that this will be changing in the very near future, as the OIG has recommended that OCR improve its oversight of covered entities and take a proactive stance, by instituting a permanent audit program, as opposed to OCR’s current reactive posture. In addition, the OIG recommended improving the tracking system which OCR uses to keep records about investigations of covered entities. Such improvements in record-keeping and tracking investigations could mean that OCR will be more likely to impose penalties, as it will be able to more easily determine when covered entities are the subject of multiple investigations.
Regarding the follow-up of breaches, the OIG made some similar recommendations concerning the need for OCR to improve its tracking system. The OIG recommended that OCR more uniformly enter information about breaches, whether large or small, into a searchable database. At present, OCR has largely focused on thoroughly investigating large breaches (e.g. breaches of 500 or more affected individuals) that are reported to it. However, the OIG has now recommended that OCR also track and follow-up on small breaches that are reported to it. This could have a significant impact on providers who may have experienced several small breaches, as it will be more likely that OCR will now closely track and examine covered entities that experience several small breaches. In addition, the OIG recommended that OCR maintain more complete documentation in its database of corrective actions taken by covered entities that experience a breach. Currently, because OCR does not keep thorough records of corrective actions, covered entities may be able to get away with implementing few changes if they experience a breach. Once OCR implements these recommendations to better document corrective actions taken by covered entities, it will place greater scrutiny on these corrective actions to ensure that the covered entities carry out the necessary changes and prevent the occurrence of a similar breach in the future.
It is extremely important for providers to understand how to comply with HIPAA, as well as what to do if they experience a breach. These reports serve to emphasize the importance of compliance and the ways in which OCR will begin to more actively investigate HIPAA compliance. Here at The Verden Group we can offer assistance in reviewing your HIPAA protocols and ensuring you have all the required forms up-to-date and properly disseminated to your patients.