Reporting a breach right away will help a facility figure out if there are any risks. It will also help meet the deadlines for telling the affected people and the regulatory authorities. 

The Breach Notification Rule says CEs have to report breaches. If there is a breach, a facility will need to do the following:

More than 500

If more than 500 people are affected, the CE has to let the local media know. This also has to be done within 60 days of the breach being discovered.

Report to HHS

For any number of breaches, a CE has to tell the Secretary of the U.S. Department of Health and Human Services (HHS). There is a form on the HHS website that has to be sent. If there are over 500 people affected, HHS has to be told within 60 days of a breach. Breaches affecting less than 500 people have to be reported within 60 days of the end of the calendar year.

The CE has to document all breaches. It also has to keep proof that the required notifications were made. Other responsibilities of the CE include the following:

• Having a policy and procedures regarding breach notification
• Training employees in HIPAA policy and procedures
• Holding staff accountable if breach policy and procedures are not followed

If a staff member thinks there has been a breach of PHI, how soon should they report it? 

Report it one month later.

Correctly unselected

Report it at their performance review three months later.

Correctly unselected

Report it right away.

Correctly selected

Report it only when someone asks them if they noticed anything.

This module has reviewed the following about the Privacy Rule:

    The Notice of Privacy Practices

    The rights of people being cared for

    Extreme risk protection orders

    The Breach Notification Rule