• Perspectives
• Spotlight
• Surveys & Studies
• Bulletins
• Capital Checkup
  • Archives
• Compliance Alert
  • Archives
• Turbulent Times
• TRENDS
• Human Capital MAP
• Reporting & Disclosure Calendar for Benefit Plans
• Stat! Health Reform Weekly
  • Stat! Health Reform Weekly Archives
  • Summary of House Bill
  • Summary of Senate Bill
• Presentations & Webinars
• Articles by Sibson Experts
• Links

 

October 9, 2009

HHS Posts Reporting Form for HIPAA Breaches

The Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements require covered entities, including group health plans, to notify individuals when there is a breach involving their unsecured protected health information (PHI).¹ HITECH also requires that reports be provided to the Department of Health and Human Services (HHS). The number of individuals affected by a breach determines when the notices must be filed with HHS.

HHS has now published an online form for reporting breaches of unsecured PHI. The HHS form provides a checklist for plan sponsors who experience a breach of unsecured PHI. Plan sponsors can use the form to help them track breaches and to assure that appropriate preventive measures are in place.

The new form only applies to breaches of unsecured PHI. In order to be a breach subject to this reporting, the breach must represent a violation of the privacy rule and must involve PHI that has not been secured using the safe harbor recently published by HHS (i.e., encryption or destruction).²

Time Deadlines for Reporting a Breach to HHS

If a breach of unsecured PHI involves 500 or more individuals, the group health plan must report to HHS at the same time that the plan notifies affected individuals (without unreasonable delay and in no case later than 60 calendar days after discovery of the incident). All breaches involving fewer people must be reported to HHS on an annual basis, within 60 days of the end of the calendar year.

Electronic Reporting Process & Form

HHS has now published the form for reporting these breaches to HHS.³ Group health plans must use the same electronic form regardless of the number of people affected by the breach, but will need to complete a separate form for each incident. The instructions state that only covered entities may report to HHS using this form. As a result, even in situations where the plan and its business associate agree that the business associate will notify affected individuals, it appears that the plan is responsible for submitting the required reports to HHS. For breaches occurring between September 23, 2009 (the law's effective date), and December 31, 2009, these annual reports must be submitted to HHS by March 1, 2010.

The form uses a series of drop-down menus to collect information about the following:

• Type of breach (e.g., theft, loss, improper disposal, authorized access, hacking/IT incident),
• Location of the breached information (e.g., laptop, desktop computer, network server, e-mail, other portable electronic device, paper),
• Type of PHI involved (demographic information, financial information, clinical information)
• Safeguards in place prior to the breach (e.g., firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access controls, anti-virus software, intrusion detection, biometrics), and
• Actions taken in response to the breach (e.g., security and/or privacy safeguards, mitigation, sanctions, policies and procedures).

In addition to the drop-down menus, covered entities must provide a narrative response that includes a brief description of the incident and of other actions taken following the breach. Covered entities must also report the date individual notices were provided, whether substitute notices were used because sufficient contact information was lacking, and whether notice to the media was required under the circumstances.

Implications for Plan Sponsors

With the breach notification requirements already in effect (since September 23, 2009), plan administrators should take the time to become familiar with the reporting form. The layout of the form may assist plan sponsors in collecting pertinent information when there is a breach of unsecured PHI.

●  ●  ●

As with all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for authoritative advice on the interpretation and application of the breach notification requirements. Sibson Consulting can be retained to work with plan sponsors and their attorneys on HIPAA compliance.

1

For a detailed discussion of the breach notice rules, see Sibson Consulting's September 2009 Bulletin, "Final Regulations on Security Breach Notification for HIPAA Protected Health Information." (To return to the Capital Checkup text, click here.)

2

For more information about the safe harbor rule, see Sibson Consulting's May 22, 2009 Capital Checkup, "HHS Guidance on Securing Protected Health Information and Avoiding Breach Notification." To return to the Capital Checkup text, click here.)

3

The instructions for the form (with links to the form) are available on the HHS Web site. To return to the Capital Checkup text, click here.)

Capital Checkup is Sibson Consulting's periodic electronic newsletter summarizing activity in Washington with respect to health care and related subjects. Capital Checkup is for informational purposes only. It is not intended to provide guidance on current laws or pending legislation. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.

Back

Return to Capital Checkup archives