HIPAA Regulations: Notification in the Case of Breach -- Notification to the Secretary of HHS - § 164.408
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations as Amended January 2013 |
(a) Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in §164.404(a)(2), notify the Secretary.
(b) Implementation specifications: Breaches involving 500 or more individuals. For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in §164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by §164.404(a) and in the manner specified on the HHS Web site.
(c) Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.
HHS Description and Commentary From the January 2013 Amendments |
Section 13402(e)(3) of the HITECH Act requires covered entities to notify the Secretary of breaches of unsecured protected health information. The Act requires covered entities to report breaches affecting 500 or more individuals to the Secretary immediately. For breaches affecting fewer than 500 individuals, covered entities may maintain a log of all such breaches occurring during the year and annually submit such log to the Secretary.
To implement the statutory provisions, §164.408(a) contains the general rule that requires a covered entity to notify the Secretary following the discovery of a breach of unsecured protected health information. With respect to breaches involving 500 or more individuals, we interpreted the term “immediately” in the statute to require notification be sent to the Secretary concurrently with the notification sent to the individual under §164.404 (i.e., without unreasonable delay but in no case later than 60 calendar days following discovery of a breach). The rule provided that these notifications be provided in a manner to be specified on the HHS web site. Further, as required by section 13402(e)(4) of the Act, the interim final rule stated that the Secretary would begin to post and maintain on the HHS web site a list of covered entities that submit reports of breaches of unsecured protected health information involving more than 500 individuals.
Under these provisions, covered entities must notify the Secretary of all discovered breaches involving more than 500 individuals, without regard to whether the breach involved more than 500 residents of a particular State or jurisdiction (the threshold for triggering notification to the media under § 164.406 of the interim final rule). Thus, where a covered entity has discovered a breach involving 600 individuals, 300 of which reside in Maryland and 300 of which reside in the District of Columbia, notification of the breach must be provided to the Secretary concurrently with notification to the affected individuals. However, in this example, the breach would not trigger the requirement to notify the media under § 164.406 because the breach did not involve more than 500 residents of any one State or jurisdiction.
For breaches involving less than 500 individuals, § 164.408(c) requires a covered entity to maintain a log or other documentation of such breaches and to submit information annually to the Secretary for breaches occurring during the preceding calendar year. The interim final rule required the submission of this information to the Secretary no later than 60 days after the end of each calendar year. As with notification of the larger breaches, the interim final rule required that information about breaches involving less than 500 individuals be provided to the Secretary in the manner specified on the HHS web site.
Although covered entities need only provide notification to the Secretary of breaches involving less than 500 individuals annually, they must still provide notification of such breaches to affected individuals without unreasonable delay and not later than 60 days after discovery of the breach pursuant to § 164.404. In addition, pursuant to § 164.414(a), a covered entity must follow the documentation requirements that otherwise apply to the HIPAA Privacy Rule under § 164.530 with respect to the requirements of this rule. Thus, pursuant to § 164.530(j)(2), covered entities must maintain the internal log or other documentation for six years. Further, as with other required documentation, a covered entity must make such information available to the Secretary upon request for compliance and enforcement purposes in accordance with § 160.310.
Overview of Public Comments
Some commenters expressed concern regarding the timing of providing notification to the Secretary of breaches affecting fewer than 500 individuals. These commenters asked when notification should be provided if a covered entity discovers, after the reporting deadline, a breach that occurred in the previous year. Several others commented on the interim final rule’s process for providing the Secretary with breach notification. Some commenters asked that this process be revised to allow covered entities to maintain a log of all breaches affecting fewer than 500 individuals and then submit that log, via attachment (such as an Excel spreadsheet), to the Secretary on an annual basis. These commenters stated that submitting reports of these smaller breaches in this manner would be much less burdensome than submitting the reports individually.
Other commenters asked that we provide a template log for entities to use to document smaller breaches for annual submission to the Secretary. Additionally, several commenters suggested that there be access or authentication controls for submitting breach reports because of concerns of false breach reports being submitted to the Secretary without the covered entity’s knowledge.
Final Rule
The final rule retains § 164.408(c) with one modification. The modification clarifies that covered entities are required to notify the Secretary of all breaches of unsecured protected health information affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were “discovered,” not in which the breaches “occurred.” We recognize that there may be situations where, despite having reasonable and appropriate breach detection systems in place, a breach may go undetected for some time. In these cases, if a breach of unsecured protected health information affecting fewer than 500 individuals that occurred in the previous year is discovered, the covered entity has until 60 days after the end of the calendar year in which the breach was discovered to provide notice to the Secretary. We emphasize, however, that this modification does not alter a covered entity’s obligation to promptly report the breach to affected individuals without unreasonable delay but in no cases later than 60 calendar days after discovery of the breach.
In response to the comments suggesting that covered entities be permitted to submit a log of all smaller breaches to the Secretary instead of submitting each breach individually through the online form, we agree that the current process may be burdensome for some entities and are considering alternative ways to receive such reports.
With respect to the commenters who asked that access or authentication controls be added to the breach reporting form, we do not believe this is necessary at the present time. Since the Department began receiving and processing breach reports on September 23, 2009, we have not yet received a report that has been falsely submitted by an individual or entity not acting on behalf of the covered entity. Additionally, we emphasize that following receipt of a breach report that affects 500 or more individuals, we contact the covered entity identified in the breach report and verify the information in the report before we post any information about the breach on the HHS Web site. If circumstances change in the future, we will explore options for modifying the process.
Response to Other Public Comments
Comment: One commenter asked that the final rule should not interpret the term “immediately” in the statute to mean without unreasonable delay, but in no case later than 60 days, but rather to mean as soon as the breach is discovered. Another commenter asked that the final rule expand the timeframe for providing notification to the Secretary to no later than 120 days after discovery of a breach.
Response: We believe that our interpretation of “immediately” with respect to notification to the Secretary for breaches affecting 500 or more individuals is reasonable and appropriate and thus, retain the provision that requires such notice be provided contemporaneously with notice to the individual. Requiring contemporaneous notice allows the notice to the Secretary to include all of the information provided in the notice to the individual and better ensures that a covered entity does not report information to the Secretary that later turns out to be incorrect because the entity did not have sufficient time to conduct an investigation into the facts surrounding the breach. In addition, this interpretation satisfies the statutory requirement that notifications of larger breaches be provided to the Secretary immediately (as they occur) as compared to the reports of smaller breaches the statute allows be reported annually to the Secretary.
Comment: Some commenters asked for further guidance on submitting online breach notifications to the Secretary. Additionally, some commenters asked that HHS provide a confirmation to submitters that an initial breach report or an addendum to a breach report has been successfully submitted.
Response: Since the publication of the interim final rule, OCR has posted instructions for filling out and submitting the breach form on its Web site: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction. html. We will continue to examine the instructions for submitting breach notification to the Secretary and will update this information, as necessary, to ensure that covered entities are able to navigate and submit the form easily. The Department has also made changes to the process to ensure that covered entities receive a confirmation following their submission of breach notification to the Secretary. Additionally, we note that the breach reporting form does include an option for indicating that a submission is an addendum to a previous submission. OCR updates the original breach report, as appropriate, with any additional or modified information submitted in an addendum.
Comment: With respect to the posting of breaches affecting 500 or more individuals on the HHS website, some commenters stated that these breach submissions must be verified with the covered entity before they are posted publicly. Other commenters asked for clarification of what information will be posted, while another commenter asked that we post only the name of the covered entity involved in the breach. Finally, one commenter suggested that we only post these breaches on our website for a six month period.
Response: To provide helpful information to the public, OCR currently posts the following information regarding breaches affecting 500 or more individuals: name of the covered entity (and if applicable, the business associate) involved; State where the covered entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer). Prior to posting this information, OCR verifies the information in the breach notification report with the covered entity. We do not believe it would serve the public to only disclose the name of the covered entity involved in each of the breaches, because the additional information enables members of the public to understand the nature of the breach and to determine if the breach affects them directly. In terms of how long information about each of the breaches is to remain posted, we intend to maintain the information on our Web site for as long as there is public interest and the data can remain posted in a manner that gives the public access effectively and efficiently.
HHS Description and Commentary From the Interim Breach Rule Notification in the Case of Breach -- Notification to the Secretary of HHS |
Section 164.408 of the interim final rule implements § 13402(e)(3) of the Act, which requires covered entities to notify the Secretary of breaches of unsecured protected health information. For breaches involving 500 or more individuals, the Act requires covered entities to notify the Secretary immediately. For breaches involving less than 500 individuals, the Act provides that a covered entity may maintain a log of such breaches and annually submit such log to the Secretary documenting the breaches occurring during the year involved.
Section 164.408(a) of the interim final rule contains the general rule that requires a covered entity to notify the Secretary following the discovery of a breach of unsecured protected health information. Section 164.408(b) provides the implementation specification for breaches involving 500 or more individuals. Section 164.408(c) provides the implementation specification for breaches involving fewer than 500 individuals.
With respect to breaches involving 500 or more individuals, we interpret the term “immediately” in the statute to require notification be sent to the Secretary in the case of these larger breaches concurrently with the notification sent to the individual under §164.404, which must be sent without unreasonable delay but in no case later than 60 calendar days following discovery of a breach. Many commenters were concerned that covered entities would be required to provide notification to the Secretary in a much shorter time frame than the other notifications required by the Act, making it difficult for covered entities to comply. This interpretation thus allows the notice to the Secretary to include all of the information provided in the notice to the individual and better avoids the situation where a covered entity reports information to the Secretary that later turns out to be incorrect because the entity did not have sufficient time to conduct an investigation into the facts surrounding the breach. In addition, this interpretation satisfies the statutory requirement that notifications of larger breaches be provided to the Secretary immediately as compared to the reports of smaller breaches the statute allows be reported annually to the Secretary.
The interim final rule also provides that the notification be provided in a manner to be specified on the HHS web site. The Department will post instructions on its web site for submitting both this notification as well as the annual notification described below. In addition, as required by § 13402(e)(4) of the Act, the Secretary will post on the HHS web site a list of covered entities that submit reports of breaches of unsecured protected health information involving more than 500 individuals.
Covered entities must notify the Secretary of discovered breaches involving more than 500 individuals generally, without regard to whether the breach involved more than 500 residents of a particular State or jurisdiction (the threshold for triggering notification to the media under § 164.406 of the interim final rule). Thus, where a covered entity has discovered a breach of 600 individuals, 300 of which reside in Maryland and 300 of which reside in the District of Columbia, notification of the breach must be provided to the Secretary concurrently with notification to the affected individuals. However, the breach in this example would not trigger the requirement to notify the media under § 164.406 because the breach did not involve more than 500 residents of any one State or jurisdiction.
For breaches involving less than 500 individuals, § 164.408(c) requires a covered entity to maintain a log or other documentation of such breaches and to submit information annually to the Secretary for breaches occurring during the preceding calendar year. As recommended by several commenters, we have designated a date for submission of the information to the Secretary. The interim final rule requires the submission of this information to the Secretary no later than 60 days after the end of each calendar year. As with notification of the larger breaches above, the interim final rule provides that information about breaches involving less than 500 individuals is to be provided to the Secretary in the manner specified on the HHS web site. HHS will specify on its web site the information to be submitted and how to submit such information.
For calendar year 2009, the covered entity is only required to submit information to the Secretary for breaches occurring after the effective date of this regulation; i.e., on or after the effective date. Information about breaches occurring prior to that date need not be submitted. This is because, pursuant to §164.400, this subpart only applies to breaches occurring on or after that date.
We emphasize that although covered entities need only provide notification to the Secretary of breaches involving less than 500 individuals annually, they must still provide notification of such breaches to affected individuals without unreasonable delay and not later than 60 days after discovery of the breach pursuant to § 164.404. In addition, we note that pursuant to § 164.414(a), a covered entity must follow the documentation requirements that otherwise apply to the HIPAA Privacy Rule under § 164.530 with respect to the requirements of this rule. Thus, pursuant to § 164.530(j)(2), covered entities must maintain the internal log or other documentation for six years. Further, as with other required documentation, a covered entity must make such information available to the Secretary upon request in accordance with § 160.310.