No plan administrator wants to find out that the protected health information of their plan participants may have been compromised. HIPAA violations and breaches can cause a lot of headaches for a plan administrator and for health plan participants. And if you are one of the unlucky ones that has had to deal with that issue, your first concern was likely protecting and notifying your participants. Hopefully, notice went out to your participants and steps were taken to mitigate the breach. These are steps that most plan administrators realize they must take and usually do right away.
However, some plan administrators don’t realize that there is also a requirement to notify HHS even if the breach only impacted a single participant. If a breach impacts 500 or more participants, the breach must be reported to HHS without unreasonable delay, but in no event later than 60 days following discovery of the breach. In these large breach scenarios, the covered entity must also notify the media. If the breach impacted less than 500 people, a covered entity doesn’t have to report the breach to HHS right away. Instead, it must report the breach within 60 days following the calendar year in which the breach occurred. So if you had a breach last year and haven’t yet reported it to HHS, the clock is ticking and you must do so by March 1. HHS has made it easy for covered entities to report breaches with an electronic submission process on its website.
Another thing that some plan administrators don’t realize is that it is their legal responsibility to report breaches that occurred with one of their business associates if it involved their participants’ protected health information. You can negotiate in your business associate agreements that the business associate will be responsible for reporting any breaches to HHS. However, the legal responsibility lies on the covered entity. Therefore, if the breach your plan experienced occurred with a business associate, you should confirm in writing with your business associate that it reported the breach to HHS on your behalf. If not, you still have to report any breaches that impacted fewer than 500 of your participants.