Final breach notification regulations, issued in August 2009, of the HITECH Act requires HIPAA covered entities and business associates to provide notification following a breach of unsecured protected health information.
For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary (HHS) with notice annually. Notification of all breaches occurring after the effective date in 2012 must be submitted by March 1, 2013. Notices must be submitted electronically by following the link below and completing all information required on the breach notification form.
Breach Notification Tips
- If there is a breach of protected health information that risks causing financial, reputational, or other harm to an individual, the breach must be reported to the individual, and all such breaches must be reported to the Secretary of the US Department of Health and Human Services (HHS) at least annually. All breaches that occurred in 2012 must be reported to HHS no later than March 1, 2013.
- For every potential breach of PHI, the entity will have to determine if the information breached presents a reasonable risk of harm to the individuals, and take action to notify them if there is a risk of harm. The harm standard may be modified upon release of a final rule.
- Entities must adopt a breach notification policy and procedures to ensure accurate reporting and documentation of breaches, and must take steps to protect information from breaches by using encryption and proper disposal methods. Entities must follow the standards of the HIPAA Security Rule to protect information from breaches and must negotiate new Business Associate Agreements to include liability for breach notification and requirements for timely reporting.