OCR Launches Updated HIPAA Breach Reporting Portal with Reporting Implications
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently launched an updated web portal for reporting breaches of unsecured protected health information (PHI) as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule. Among other changes, the updated version requires users to submit data that was previously optional. The updated version is live, and new requirements apply to 2014 breach notification reports that have not yet been submitted.
HIPAA requires covered entities to submit reports of breaches of unsecured PHI affecting fewer than 500 individuals within 60 days of the end of the calendar year (i.e., March 2, 2015 for calendar year 2014). Covered entities have the flexibility to submit reports as breaches occur (with addenda as additional information becomes available) or collectively at the end of the calendar year. Such breach reports are submitted via the OCR’s web portal.
The previous version of the web portal allowed users to enter responses to mandatory and optional data fields on one web page. However, the updated version is operated with a wizard that guides users through a multistep process. At each step (i.e., general, contact, breach, notice of breach and actions taken, attestation, and summary), the user responds to questions and/or inputs relevant information in order to move to the next step. The updated portal adapts the steps to information provided by the user (e.g., whether the user is a covered entity or a business associate filing a report on behalf of a covered entity).
While the wizard format allows for expanded functionality, the updated format also includes noteworthy updates to required breach report information and options available for describing safeguards and responses to breaches.
Required Information. With the updated web portal, “Breach End Date” and “Discovery End Date” are now required fields as opposed to optional information in the previous version.
Safeguards. When designating “Safeguards in Place Prior to the Breach,” users may now select among general safeguard options (e.g., none, Privacy Rule Safeguards, Security Rule Administrative Safeguards, Security Rule Physical Safeguards, and Security Rule Technical Safeguards). The previous web portal version included more specific, technical options (e.g., Firewalls, Secure Brower Sessions, Strong Authentication, Encrypted Wireless, etc.).
Response to Breach. Unlike the safeguards portion of the breach reporting, the updated web portal includes additional, technical options for designating “Actions Taken in Response to Breach.” The previous web portal version included more general options (e.g., Security and/or Privacy Safeguards, Mitigation, Sanctions, Policies and Procedures, and Other) while the updated version includes 15 more specific, detailed options (e.g., Adopted Encryption Technologies, Implemented Periodic Technical and Nontechnical Evaluations, Performed a New/Updated Security Rule Risk Analysis, Provided Business Associate with Additional Training on HIPAA Requirements, Revised Business Associate Contracts, Revised Policies and Procedures, Sanctioned Workforce Members Involved (Including Termination), Trained or Retrained Workforce, and Other (which requires a narrative explanation)).
The additional detail required for reporting under the updated web portal may indicate OCR’s increased focus on breaches affecting fewer than 500 individuals as well as the types of safeguards, mitigation, and corrective action OCR may expect in response to breaches.
Entities should confirm that their breach logs tracking incidents throughout the year are updated to collect all of the required breach reporting information.