Washington—HIPAA-covered dental practices and other health care entities must report breaches of protected health information to the U.S. Office for Civil Rights under the federal breach notification rule. Reporting deadlines vary for breaches involving fewer or more than 500 individuals.
For breaches involving fewer than 500 individuals, a HIPAA-covered dental practice must provide notice of such breaches to the OCR within 60 days of the end of the calendar year in which the breaches were discovered. March 1, 2014, is the deadline for reporting breaches discovered in 2013. If a breach affects 500 or more individuals notification is required “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
The Health Insurance Portability and Accountability Act breach notification rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission apply to vendors of personal health records and their third party service providers under the separate 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
The OCR, a Department of Health and Human Services agency, enforces HIPAA privacy and security rules and investigates health information privacy complaints. Notice of a breach must be submitted electronically at http://ocrnotifications.hhs.gov by completing all information required on the form. A separate form must be completed for every breach.
If a dental practice reports a breach and then discovers additional information to report, the dental practice may submit an additional form, checking the appropriate box to indicate it is an updated submission. If at the time of submission of the form, it is unclear how many individuals are affected by a breach, the OCR said it will ask the dental practice for an estimate. As more information becomes available, an additional breach report may be submitted as an addendum to the initial report.
For reporting information visit http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html. Dental practices with questions regarding completion and submission of the reporting form can contact OCR by e-mail at OCRPrivacy@hhs.gov.