- The recently updated HIPAA Breach Reporting Tool (HBRT) will highlight recent healthcare data breaches and help consumers learn how such incidents are investigated, according to OCR.
The agency explained in a statement that the new HBRT “features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents.”
“The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations,” OCR stated.
The HBRT was first launched in 2009 as part of the HITECH Act, and would include information pertaining to data breaches affecting 500 or more individuals. This data would include an entity’s name, the state in which it is located, the number of affected individuals, the date a breach took place, what type of breach (i.e. hacking or lost device), and where the breached data was located, such as in a laptop or within paper records.
OCR explained that features in the new HBRT include the following:
- Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
- New archive that includes all older breaches and information about how breaches were resolved
- Improved navigation to additional breach information
- Tips for consumers
“HHS plans on expanding and improving the site over time to add functionality and features based on feedback,” the statement explained. “The HBRT provides transparency to the public and organizations covered by HIPAA and helps highlight the importance of safeguards to protect the privacy and security of sensitive health care information.”
Per HIPAA regulations, individual notification must take place without unreasonable delay or no later than 60 days following data breach discovery. This is true regardless of the size of the potential data breach.
Covered entities must make an annual report when fewer than 500 people are affected. However, these notices are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”
“If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below,” HHS states on its website. “If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.”
The notification requirements only apply to unsecured PHI or when PHI “has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
“The guidance also applies to unsecured personal health record identifiable health information under the FTC regulations,” according to HHS. “Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.”
It is crucial for healthcare organizations to provide a timely data breach notification. Failure to do so could result in large-scale fines from OCR.
In January 2017, Presence Health agreed to a $475,000 OCR HIPAA settlement following a reported data breach and a subsequent delayed breach notification process.
The health network submitted a breach notification report to OCR on January 31, 2014, stemming from an incident on October 22, 2013.
However, “Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” according to an OCR investigation.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” then-OCR Director Jocelyn Samuels said in a statement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
Proper data breach notification, along with the updated HBRT, can help individuals learn more about healthcare data breaches. This can ensure that individuals who might be affected by potential data breaches are able to take the necessary steps to secure their information.