Employer group health plans that had a breach of unsecured protected health information (PHI) involving fewer than 500 individuals must report such breaches to the Secretary of Health and Human Resources (HHS) annually within 60 days following the end of the year. This means that HIPAA breaches discovered in 2015 must be reported no later than February 29, 2016.
Breach reports must be made through the Office of Civil Rights Breach Portal .
This article provides additional information on what constitutes a breach of unsecured PHI, who must be notified if such a breach occurs, and how and when and to whom the covered entity must report such a breach. If the covered entity is a group health plan, it will probably be the plan sponsor who must report the breach and comply with HIPAA’s breach notification procedures.
Who Must Report and What?
Covered entities (such as employer group health plans, health insurers, medical providers, hospitals) must report breaches of unsecured PHI to affected individuals and also to the Secretary of HHS, and in some cases to prominent local media.
A breach is presumed to have occurred if there was an impermissible use or disclosure of protected health information (PHI), unless the covered entity (or business associate, as applicable) demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following four factors that are specified in HHS guidance:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
What Reporting is Required and When?
When breaches must be reported, and to whom, depends on how many individuals were affected.
- Any breach of unsecured PHI must be reported to the individuals affected, without unreasonable delay and in no case later than 60 days following the discovery of the breach.
- If the breach involved unsecured PHI of fewer than 500 individuals, the covered entity must keep a log of the breaches and report them annually to HHS. This annual report must include all such breaches that were discovered in the prior year and must be filed within 60 days after the end of the calendar year in which the breach occurred.
- If the breach involved unsecured PHI of more than 500 individuals, the covered entity must notify HHS without unreasonable delay and no later than 60 calendar days from the date the breach was discovered.
- If the breach involved unsecured PHI of more than 500 residents of the same state or jurisdiction, the covered entity also must notify prominent media outlets serving the state or jurisdiction. This will likely be in the form of a press release. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice
What is Unsecured PHI?
Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS in guidance. HHS guidance specifies only encryption and destruction as the technologies and methodologies that will be considered to render PHI “secure” – i.e., “unusable, unreadable, or indecipherable to unauthorized individuals.” (Additional information is on the HHS website here .)
- What this means for employers: If you protect PHI using access control or other methods that you believe (and that do) securely protect PHI, the PHI will still be considered “unsecured” for purposes of the HIPAA breach notification rule. Thus, if a breach occurs, you will have to comply with the breach notification rules listed above, unless you perform a risk assessment using at least the factors listed above and you determine that there is a low probability the PHI has been compromised.
For details on encryption or destruction requirements, see HHS webpage on “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html .