Medicare Compliance & Reimbursement

Question: Over the last year, we’ve had a few miniscule privacy breaches. Does our practice need to report every small HIPAA breach throughout the year or can we wait until the end of the year? Also, will it trigger an audit if we submit the different breach issues all at once?

North Carolina Subscriber

Answer: Some providers worry whether reporting small breaches to the Department of Health and Human Services (HHS) in a single batch at the end of the year (along with all the other small breaches from providers) is “less noticeable” than sending the breach notifications throughout the year.

Whether you report small HIPAA breaches as they occur or report them all at once at the end of the year, it shouldn’t make much of a difference in terms of triggering an audit, indicates Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.

What HHS is really looking for — and what may trigger an audit — is whether your practice has similar small breaches that could indicate a systemic problem, Sheldon-Dean warns. HHS will “take a look at all the potential issues and then make decisions as to whether they need to do any kind of compliance investigation,” he says.

Know These Small Breach Facts

If you’re a covered entity (CE) and have breaches that include fewer than 500 individuals, you need to alert the HHS Secretary of the breach within 60 days of the calendar year in which the breach occurred.

Timeline: “For small breaches discovered in 2020, the deadline for reporting is March 1, 2021,” remind attorneys Laura Dona and Madison Pool with Arnall, Golden, Gregory LLP in online legal analysis.

You must submit your forms electronically; however, even if your HIPAA breaches are on different days and concern different issues, you can still submit them on the same day.

Remember: Individuals whose protected health information (PHI) was affected by the breach must be notified by first-class mail or email, too — within 60 days of the breach.

No matter the size or scope of the incident, all HIPAA breaches are reported through the OCR breach portal at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.

Tip: Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business associate agreements (BAAs) that are compliant. The initial task of creating resources and office compliance protocols can be daunting, but it’s essential that you educate your staff and your business partners by setting up a breach management plan.

Bottom line:  “Each breach must be reported, even if it affected as few as one individual,” warn Dona and Pool.

Resource: Review OCR guidance on breach reporting at www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.