Covered entities must submit annual report to the OCR by March 1, 2015 for breaches affecting fewer than 500 individuals. Breach notification obligations differ depending on whether the breach affects 500 or more individuals or fewer than 500 individuals.
A covered entity must submit its annual notification to the Office for Civil Rights (OCR) if it discovers a breach of unsecured protected health information (PHI) occurring in a calendar year within 60 days of the end of the calendar year in which the breaches occurred for breaches affecting fewer than 500 individuals. (See 45 C.F.R. 164.408) All notifications must be submitted to the OCR using the Web portal. A separate form must be completed for each breach that has occurred during the calendar year. Covered entities should analyze each potential breach under the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations, including documented incident reports, risk of harm analyses, and notification documents, where applicable.
If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the OCR of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically by completing all of the required fields of the breach notification form.
If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the OCR, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.
Covered entities unsure of whether to report an incident should speak to a qualified attorney immediately to begin the related investigation and analyses.
By Denise Bloch