HIPAA Breaches

Think that breaches are rare or are private? Think again. Section 13402(e)(4) of the HITECH Act requires the Secretary of the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) to post a list of breaches of unsecured protected health information (PHI) affecting 500 individuals or more. There are currently over 400 such breaches that are currently under investigation by the OCR that were initially reported within the last 24 months:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

This does not include other breaches that are no longer under investigation or breaches involving under 500 individuals, which also must be reported. In addition to the substantial potential fines and penalties resulting from such an investigation, simply being on this list can cause substantial damage to your business and your patients’ trust in you.

What if I simply don’t report the breach? Breaches of unsecured PHI affecting 500 or more individuals MUST be reported to affected individuals (§ 164.404), major media outlets (§ 164.406), and the OCR Secretary (§ 164.408) within 60 days and smaller breaches must also be reported to the Secretary, but under less stringent deadlines. Failure to do so can result in serious penalties. HIPAA penalties for violations (failure to report is only one many potential violations) range from $100 to $50,000 per individual, depending on the circumstances.

Leave a Comment

Your email address will not be published. Required fields are marked *