chris - Fotolia
The HHS Office for Civil Rights recently introduced a Web portal for data breach reporting. What's your take on the new portal? Is it changing how HIPAA-related breaches have to be reported, and if so, how do enterprises need to change their processes as a result?
The HIPAA Breach Notification Rule requires that organizations subject to HIPAA compliance formally notify the Secretary of Health and Human Services (HHS) whenever they experience a breach of unsecured protected health information. The recently released electronic portal is designed to facilitate this data breach reporting process. This new portal reflects a change in the back-end system for processing and managing HIPAA breach notifications at HHS and does not really represent a substantial change for covered entities.
The reporting requirements in the Breach Notification Rule remain in place. If a covered entity experiences a breach affecting 500 or more individuals, it has 60 days from the discovery of the breach to file a report with HHS containing details. If the breach affects fewer than 500 individuals, it must file the notice within 60 days of the end of the calendar year when the breach occurred. The breach notice must contain a description of the breach, the affected information and the covered entity's response to the breach.
When a covered entity accesses the breach notification portal, it will now find a wizard-driven process that walks through providing contact information, a description of the breach and actions taken, and an attestation of the correctness of the facts. This is the same information that HHS previously collected on an electronic form; it just has a new look and feel. Covered entities may also use the portal to file addendums to prior breach reports.
Organizations shouldn't need to change any business processes related to HIPAA breach notifications. Hopefully, they don't access this page often enough to even notice that there was a change.
Ask the Expert:
Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.