When a breach in PHI security has been discovered, you should initially report it internally within your organization, typically to your supervisor or the designated privacy officer, and if the breach occurred at a business associate, it should also be reported to the covered entity, then, depending on the scale of the breach, it needs to be reported to the Department of Health and Human Services Office for Civil Rights within a specified timeframe, and finally, affected individuals must be notified promptly, and for larger breaches, prominent media outlets must also be alerted. The reporting process is important and HIPAA training is required, as each step is designed to mitigate potential harm to patients and to uphold the integrity of healthcare organizations in compliance with the HIPAA law.
| Reporting Step | Description |
|---|---|
| Internal Reporting | Report the breach to your immediate supervisor or the designated privacy officer within your organization. They can guide you on the subsequent steps based on the company’s protocols. |
| Report to Covered Entity | If the breach occurred at a business associate, report it to the covered entity with which the business associate has a relationship. |
| Report to HHS OCR | If the breach affects 500 or more individuals, report to the Department of Health and Human Services Office for Civil Rights without unreasonable delay and in no case later than 60 days from the discovery of the breach. |
| Notify Affected Individuals | Notify affected individuals promptly if their PHI has been breached, without unreasonable delay and in no case later than 60 days following the discovery of a breach. |
| Notify Media | If the breach impacts 500 or more individuals, the covered entity is also required to notify prominent media outlets serving the state or jurisdiction where the affected individuals reside, in addition to promptly notifying the OCR. |
You should report the breach internally within your organization as the first step. Typically, this would be your immediate supervisor or manager. However, many organizations have a designated privacy officer or a specific department responsible for overseeing HIPAA compliance and handling such breaches. It is their job to assess the situation, determine the severity of the breach, and guide you through the subsequent steps of the breach notification process. They would also launch an internal investigation to understand the extent of the breach and begin implementing measures to prevent similar incidents in the future.
If the breach occurred at a business associate – an entity that performs services for your organization that involve access to PHI – it should also be reported to the covered entity with which the business associate has a relationship. As per HIPAA regulations, covered entities, which can be providers, health plans, or healthcare clearinghouses, are ultimately responsible for the PHI they maintain, transmit, or receive, even when a breach is the fault of a business associate. Therefore, it is imperative to notify the covered entity about the breach so they can take appropriate action.
Following internal reporting procedures, and depending on the extent of the breach, the incident should also be reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. According to the HITECH Act, breaches affecting 500 or more individuals must be reported to the OCR without unreasonable delay, and in any case, no later than 60 days from the discovery of the breach. If the breach affects fewer than 500 individuals, covered entities must report the incident to the OCR no later than 60 days from the end of the calendar year in which the breach was discovered.
The next group of people who must be notified of a PHI breach are the affected individuals themselves. HIPAA regulations mandate that covered entities must notify affected individuals promptly if their PHI has been breached. The notification, which must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, should include a brief description of the breach, the type of information involved in the breach, the steps affected individuals should take to protect themselves, a brief description of what the covered entity is doing to investigate the breach, mitigate harm, and protect against further breaches, as well as contact information for individuals who have additional questions.
For larger breaches that impact 500 or more individuals, there’s an additional requirement. Not only must the OCR be notified promptly, but the covered entity is also required to notify prominent media outlets serving the state or jurisdiction where the affected individuals reside.
Discovering a PHI security breach triggers a series of reporting requirements designed to protect individuals and uphold the integrity of healthcare organizations. From immediate supervisors or privacy officers within your organization, to the OCR and the affected individuals, each entity plays a critical role in responding to the breach. The goal is to ensure transparency, maintain trust, and protect individuals from potential harm. It’s a process that underscores the critical importance of safeguarding PHI and the profound implications of a breach.
