The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency. Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form. Some interesting features of the form include:
- The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
- The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided. The form is, however, required to be completed by the covered entity.
- The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
- The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list. Actions taken in response to the breach also may be described in narrative form.
- The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS’s web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
- The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.
The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS’s implementing regulations. HHS also has provided instructions for completing the form.