chris - Fotolia

Manage Learn to apply best practices and optimize your operations.

Does the HHS Web portal affect data breach reporting?

HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.

The HHS Office for Civil Rights recently introduced a Web portal for data breach reporting. What's your take on the new portal? Is it changing how HIPAA-related breaches have to be reported, and if so, how do enterprises need to change their processes as a result?

The HIPAA Breach Notification Rule requires that organizations subject to HIPAA compliance formally notify the Secretary of Health and Human Services (HHS) whenever they experience a breach of unsecured protected health information. The recently released electronic portal is designed to facilitate this data breach reporting process. This new portal reflects a change in the back-end system for processing and managing HIPAA breach notifications at HHS and does not really represent a substantial change for covered entities.

The reporting requirements in the Breach Notification Rule remain in place. If a covered entity experiences a breach affecting 500 or more individuals, it has 60 days from the discovery of the breach to file a report with HHS containing details. If the breach affects fewer than 500 individuals, it must file the notice within 60 days of the end of the calendar year when the breach occurred. The breach notice must contain a description of the breach, the affected information and the covered entity's response to the breach.

When a covered entity accesses the breach notification portal, it will now find a wizard-driven process that walks through providing contact information, a description of the breach and actions taken, and an attestation of the correctness of the facts. This is the same information that HHS previously collected on an electronic form; it just has a new look and feel. Covered entities may also use the portal to file addendums to prior breach reports.

Organizations shouldn't need to change any business processes related to HIPAA breach notifications. Hopefully, they don't access this page often enough to even notice that there was a change.

Ask the Expert:
Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

See why one expert warns about a federal breach reporting law and learn some Best practices for security data breach reporting.

This was last published in September 2015

Dig Deeper on Information Security Incident Response-Information