Breach Reporting

  • Are you aware of a breach of PHI within your organization?
  • Are you prepared to file a report?
  • Are you aware of the different reports required by the OCR?
  • Do you know the best way to report a breach that places you in a better light to avoid fines and penalties?
Data Breaches
HIPAA Associates has the knowledge to assist you throughout the Breach Reporting process. We will help keep you out of harm’s way.
Under the HIPAA Rules a covered entity must report a breach of unsecured protected health information to the Office for Civil Rights, a division of the Department of Health and Human Services.

Breach Report Assistance

Obtain assistance from the experts in the field. We have assisted organizations with HIPAA Breach Reporting for over 20 years. We can help you and your organization. Contact us today if you are unsure what is a breach of PHI.

HIPAA Breach Report Toolkit

Let us help you with our free Breach Report Tool covering all the steps you need to take immediately – and minimize your risk.

It also includes a worksheet of all the information you’ll need to initially collect, so that you can keep it all in one place as you work through the process of mitigation. Contact us and we will send it to you.

What is a Breach of PHI

A breach is generally, an impermissible use or disclosure under the HIPAA privacy regulations that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach.  This is true unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

Exceptions to the Definition of a Breach

There are three exceptions to the definition of breach:

  1. An unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate if such acquisition, access or use was made in good faith and within the scope of authority. The information cannot be further used or disclosed in a manner not permitted by the privacy rule.
  2. The inadvertent disclosure of PHI from a person authorized to access PHI at covered entity or business associate to another person authorized to access PHI at covered entity or business associate of covered entity, or organized health care arrangement in which the covered entity participates. The information cannot be further used or disclosed in a manner not permitted by the privacy rule.

If the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Breach Analysis

Breach Risk Assessment

The covered entity must perform a Breach Risk Assessment and determine if a breach occurred which requires notification to the individual and OCR.

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

How do I handle a breach?

We’re sorry to hear that – both for you and your patients. We know how stressful and chaotic it probably is right now as you try to figure out next steps.

We’ve helped countless providers and organizations deal with this.

It is important to follow all the steps to report a breach to the OCR. Every breach is different and must be handled on a case by case basis.

A full breach analysis must be performed to determine if there was an impermissible use or disclosure that compromises the security of protected health information.

Factors to be resolved are:
1. The nature and extent of the breach including identifiers
2. The unauthorized person to whom disclosure is made
3. Whether the PHI was acquired or viewed
4. The extent to which the risk to PHI has been mitigated.

HIPAA Associates can help your organization through this process to ensure you follow all the important steps.

Notification Requirements

Individual Notice

Individuals affected must be notified by email or by substitute notice of discovery of the breach.

Timing

Individual notifications must be provided without unreasonable delay and in no case later than 60 days.

Media Notice

Must be given in event of a breach affecting more than 500 residents of a state or jurisdiction in addition to notifying the affected individuals.

Notice to the Secretary HHS/OCR

The breach notification by the covered entity will differ based on whether the breach affected 500 or more individuals or fewer than 500 individuals.

Follow this link to report breaches at the U.S. Department of Health and Human Services Office for Civil Rights.

HIPAA Associates & Breach Reporting

HIPAA Associates works with clients on presumed breaches. We will assist you in performing a breach risk assessment to determine if there is a breach of unsecured PHI. For incidents that are reportable breaches there are steps and deadlines to follow for breach reporting to the individual and to the Office for Civil Rights.

Follow Required Steps

It is important to follow all necessary steps to report a breach successfully. Breaches vary depending on the facts and circumstances.

Normally we draft the mandatory notice to the individual and the reports to the OCR on a case-by-case basis as there may be different reporting deadlines. We have the experience to know what information to include in a breach notification letter and in the report to the OCR.

Additionally, we will guide you through the additional steps that must take place for large breaches that affect 500 or more individuals.

HIPAA Associates manages breach analysis, notification to the individual(s) affected, mitigation of damages, retraining and reporting to the Office for Civil Rights.

We will assist you throughout the process from start to finish on all aspects including mitigation of damages, creating a corrective action plan, drafting notice letters, and reporting to the Office for Civil Rights.

If you have not experienced a breach?

That’s great!  But you should still prepare.  Most people don’t think about HIPAA compliance until it’s too late.  Moreover, the best way to deal with a HIPAA violation is to avoid it in the first place.

Be proactive. A first step is checking for weaknesses – and we can help.

Get our compliance checklist to see where your vulnerabilities lie.

HIPAA Compliance Checklist 2021

As your organization prepares to take on the challenges of HIPAA compliance you must have a game plan. At HIPAA Associates we are happy to provide you with a HIPAA Compliance Checklist that will assist you in successfully developing your HIPAA compliance plan. This checklist is a step by step guide that takes you through all the important steps the Office of Civil Rights expects from covered entities and business associates today.

Most important of all, HIPAA Associates consists of legal and medical professionals who speak your language. We understand the needs of your organization.