Healthcare providers and other HIPAA covered entities have until Wednesday, February 29, 2012 to submit notice of breaches of unsecured Protected Health Information which affected fewer than 500 individuals during 2011. Notice must be submitted electronically to the Secretary of Health & Human Services, and separate forms are required for each data breach occurring in the course of the calendar year.
This action is mandated by the Interim Final Rule for Breach Notification for Unsecured Protected Health Information which became effective on September 23, 2009. A breach is defined under federal law as the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner that violates the HIPAA Privacy rule and compromises the privacy or security of the PHI. Determining whether a breach has occurred, however, requires the analysis of a number of additional factors. Under the Interim Final Rule, breaches affecting fewer than 500 individuals must be reported to the Secretary within 60 days of calendar year end.
Covered entities must document data breaches affecting fewer than 500 individuals in their breach logs when the breaches occur throughout the year, but they are not required to publicly report these breaches until 60 days after the end of the calendar year.
If you need additional information with respect to filing a data breach notice, determining whether a data breach has occurred or other elements of HIPAA privacy law, please contact Stephen Page or any member of the Waller Healthcare Department at 800-487-6380.
The opinions expressed in this bulletin are intended for general guidance only. They are not intended as recommendations for specific situations. As always, readers should consult a qualified attorney for specific legal guidance.