All covered entities must report any Protected Health Information (PHI) breaches to the U.S. Department of Health and Human Services (HHS). If the breach affected more than 500 individuals, then the organization has 60 days to report the incident. If the breach affected less than 500 individuals, the organization may report the breach annually. The annual deadline for reporting 2021 small healthcare data breaches to HHS is March 1, 2022.
If the organization does not report the breach by March 1, 2022, it may face noncompliance penalties. When a covered entity cannot find contact information for 10 or greater individuals, then it is the responsibility of the organization to post a notice on their own webpage regarding the breach, and the breach information must be posted on the home webpage for at least 90 days. When a PHI breach affected greater than 500 individuals, then the breach must also be reported to notable media outlets. All covered entities and their business associates are required to follow the breach notification rules.
The Department of Health and Human Services explains that covered entities must also comply with administrative requirements regarding breach notifications. HHS reminds all covered entities that they must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with their related policies and procedures.
Issue
Appropriate team members of the organization must be knowledgeable on PHI data breach requirements. Just as important, all staff members must be knowledgeable on what a data breach consists of and their role in preventing data breaches. The organization’s privacy officer should be knowledgeable and assist in training staff on their roles in preventing data breaches. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion Points:
- Review your policies and procedures on reporting a PHI data breach. Update your policy as needed.
- Train all staff on what constitutes a PHI data breach, their roles in preventing it, and steps to take if they identify that a breach has occurred. Document that these trainings occurred and file each signed document in the employee’s education file.
- Periodically audit to ensure that staff members are following policies and procedures for protecting PHI, and if a PHI data breach has occurred, audit to ensure that PHI data breach requirements have been met.