[ Monday, January 13, 2014 ]
Small Data Breach Reporting: Welcome to 2014! Covered entities must report all (small) breaches occuring in 2013 to the Secretary of HHS by the end of February. If you had a big breach, one involving 500 or more individuals, you should have reported to the affected individuals and HHS (and local media) within 60 days of becoming aware of the breach, but if you had a small breach, you needed to notify the individuals within 60 days, but need not notify HHS until year-end.
Jeff [12:17 PM]
Sometimes you'll have a handful of small technical breaches (records faxed to the wrong number, for example), which involve a quick and easy note to the patient. Those are often put out of mind once they're done. But the annual reporting requirement is still there, even though you might've forgotten about that little incident. . . .
The year-end reporting requirement is easier but still a little tech-intensive. It involves filling out a form on the HHS website for each breach incident, which involves actual input by the covered entity, so it takes a little time. But it's painless, and it's the law.
Blogger: HIPAA Blog - Edit your Template