HIPAA covered entities (healthcare providers, health plans or healthcare clearinghouses) that discovered a breach of Protected Health Information (PHI) in 2013 involving fewer than 500 individuals are required to report those breaches by March 1, 2014.
The HITECH Breach Notification Rule requires covered entities to notify the affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) (and in some cases, the media) of breaches of unsecured PHI, and requires business associates (generally, contractors or vendors who perform services or functions for covered entities and have access to PHI) to notify covered entities of breaches of unsecured PHI. In 2013, the Office for Civil Rights (OCR) of HHS revised the standard for determining whether a breach occurred. Any use or disclosure of unsecured PHI that is not permitted under the HIPAA Privacy Rule is now presumed to be a breach (and therefore triggers the notification obligations) unless either the incident satisfies one of three relatively narrow exceptions, or the covered entity or business associate demonstrates a low probability that PHI has been compromised, based on a risk assessment of at least four factors as set forth in the Breach Notification Rule. The prior definition of “breach” (which was in effect prior to Sept. 23, 2013) focused on a “risk of harm” analysis.