As explained in our March 2009 and September 2009 articles, employer health plans and other “covered entities” are required to notify affected individuals and the Department of Health and Human Services (“HHS”) when they breach certain of the privacy requirements imposed by the Health Insurance Portability and Accountability Act (“HIPAA”). HHS has now posted on its website an online form by which such breaches may be reported to HHS.
The online form differentiates between breaches affecting fewer than 500 individuals and those affecting 500 or more. This is because breaches affecting fewer than 500 individuals need not be reported to HHS until 60 days after the end of the calendar year in which the breach occurred, whereas larger breaches must be reported within 60 days after discovery of the breach (i.e., the same deadline that applies to notifying affected individuals).
The online form asks for a substantial amount of information concerning each breach. For instance, a plan should be prepared to describe the type and location of the breach, the type of information that was disclosed (demographic, financial, or clinical), the safeguards that were in place to prevent the breach, actions taken to notify the affected individuals and media of the breach, and any subsequent mitigation or corrective actions.
Business associates of covered entities will become subject to these breach notification requirements as of February 17, 2010. Their obligation, however, is simply to notify the covered entity of the breach – including the names of the individuals who were affected by it. It is then up to the plan or other covered entity to fill out the online form. Plans will therefore want to ensure that all of their business associates are aware of this breach notification requirement – and have committed themselves to complying with the reporting rules.