By: Jeremy W. Rogers
HIPAA covered entities, which are health care providers, health plans, and health care clearinghouses, are required to report “small" data breaches of unsecured, unprotected health information by March 1, 2017. Covered entities must report these breaches, defined as a breach that involves fewer than 500 individuals, to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”). This deadline applies to breaches that were discovered in 2016, and the deadline is fast approaching.
In the past, while it should never have been treated as such, some covered entities may have looked at the small breach reporting deadline as not terribly important. Events over the past several months should have changed this attitude to a great degree and emphasized the importance the OCR places on timely reporting.
First, in August, 2016, the OCR announced an important change in emphasis toward breaches affecting fewer than 500 individuals. At the time of the announcement, the OCR, through its regional offices, began an initiative to more widely investigate such breaches. The regional offices retained discretion on prioritizing which small breaches to investigate, but the directive set forth was that each office was to increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance through more widespread investigation of small breaches.
Second, in the first resolution agreement announced in 2017, one covered entity agreed to settle potential violations of the HIPAA breach notification rules. This case was the first HIPAA enforcement action for untimely breach notification and resulted in a settlement approaching $500,000.00 in addition to implementation of a corrective action plan. While the case did not involve untimely reporting of small breaches (the covered entity failed to timely report breaches affecting more than 500 individuals), it does illustrate quite nicely just how important the OCR believes timely reporting to be.
It should be noted, although not applicable for 2017, that a covered entity is not required to wait until the deadline to report breaches and, in many instances, should consider reporting them closer to the date of discovery. A breach is considered “discovered” on the date when any workforce member or agent of the covered entity gains direct knowledge of the breach. Also, a covered entity is considered to have “discovered” the breach if it would have gained direct knowledge through the exercise of reasonable diligence. This means a covered entity cannot simply put its head in the sand and claim it did not have knowledge.
With the foregoing information, it is clear that timely reporting of small breaches is imperative. To that end, covered entities must pay particular attention to the approaching March 1, 2017 deadline.
The FMG Data Security & Privacy team is available to help covered entities investigate potential data breaches and comply with all notification and reporting requirements under HIPAA.