Covered Entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are subject to the U.S. Department of Health and Human Services (HHS) Interim Final Rule (Rule), issued under Section 13402 of the Health Information Technology for Economic and Clinical Health Act (HITECH). Among other mandates, the Rule requires Covered Entities (e.g., health care providers, health plans, and health care clearinghouses) to notify affected individuals, HHS, and the media of breaches of unsecured protected health information (PHI) in certain circumstances.
For reportable breaches affecting 500 people or more, the Covered Entity must notify HHS of each breach without unreasonable delay and in all cases within 60 days. For reportable breaches affecting fewer than 500 persons, the Covered Entity must notify HHS within sixty (60) days following the end of the calendar year. Although the Rule technically became effective on September 23, 2009, HHS indicated in the Rule that it will not enforce the notification requirements for reportable breaches occurring prior to February 22, 2010.
In October 2009, HHS established an online reporting system for submitting breach notifications to HHS, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html (www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html).
The online security breach reporting form requires each Covered Entity to attest that the information provided is accurate and acknowledge that: (1) the Office of Civil Rights (OCR) may be required to release information provided via the form pursuant to the Freedom of Information Act; (2) some of the information will be posted to the HHS Web site; and (3) OCR will use the information to provide an annual report to Congress, as required by the HITECH Act. Notwithstanding the enforcement delay until February 2010, according to HHS, some Covered Entities have already used the online form to notify HHS of security breaches.
We noted that the HHS online reporting system is accessible to the general public and, although the reporter must provide contact information, the system does not include a mechanism to ensure that a reporter is an authorized representative of a Covered Entity. Unfortunately, this may result in circumstances in which it will be difficult for HHS to distinguish between legitimate breach notification reports submitted by authorized representatives of Covered Entities, and reports submitted by unauthorized individuals or entities. This may be particularly troublesome if HHS publicly posts information collected from such online reports without verifying their legitimacy.
Foley contacted HHS to seek more information regarding this issue and will provide further information as it becomes available. In the interim, we strongly encourage all Covered Entities using the HHS online reporting system to input a unique case or facility number for each submitted report. The unique number can be inserted in the text box in which the Covered Entity provides a brief description of the breach. This will enable the Covered Entity to quickly identify breach notification reports that were not submitted by an authorized representative of the Covered Entity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
