Healthcare providers and other HIPAA covered entities have until
Wednesday, February 29, 2012 to submit notice of breaches of
unsecured Protected Health Information which affected fewer than
500 individuals during 2011. Notice must be submitted
electronically to the Secretary of Health & Human Services, and
separate forms are required for each data breach occurring in the
course of the calendar year.
This action is mandated by the Interim Final Rule for Breach
Notification for Unsecured Protected Health Information which
became effective on September 23, 2009. A breach is defined under
federal law as the unauthorized acquisition, access, use, or
disclosure of Protected Health Information (PHI) in a manner that
violates the HIPAA Privacy rule and compromises the privacy or
security of the PHI. Determining whether a breach has occurred,
however, requires the analysis of a number of additional factors.
Under the Interim Final Rule, breaches affecting fewer than 500
individuals must be reported to the Secretary within 60 days of
calendar year end.
Covered entities must document data breaches affecting fewer than
500 individuals in their breach logs when the breaches occur
throughout the year, but they are not required to publicly report
these breaches until 60 days after the end of the calendar
year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.