HHS Provides On-line Breach Notice

Wednesday, October 07, 2009

A breach of unsecured protected health information (PHI) requires various disclosures under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Among the intended recipients is the Department of Health and Human Services (HHS), which recently created an online notice form for this purpose.

Covered entities are required to notify HHS. Covered entities include health plans, health care providers and health care clearinghouses. The form is composed of five sections:

• Covered Entity information
• Business Associate information
• Breach information
• Dates of breach and discovery
• Type of breach
• Location of the PHI
• Type of PHI (i.e., demographic, financial, clinical, other information)
• Description of breach
• Information on notices sent and other actions taken
• Information on the individual notices
• Information on any substitute notices
• Information on any media notices
• Other actions taken, including security and/or privacy safeguards, mitigation, sanctions policies and procedures
• Attestation that the information is correct

The form can be used for the initial breach report and for any follow-up notification required as an addendum to the previous report.

If the breach involves 500 or more individuals as defined by the HITECH Act Regulations (see the September 2, 2009, News and Review article: HHS Issues Rule on HIPAA Breaches), the form must be completed without unreasonable delay and in no case later than 60 days from discovery of the breach. If the breach involves fewer than 500 individuals, the form must be completed within 60 days of the end of the calendar year in which the breaches occurred. Each breach requires a separate form.

As a reminder, the HITECH Act Regulations took effect on September 23, 2009, but HHS has delayed any penalties for HITECH Act violations until February 22, 2010.