October 20, 2009 – HIPAA Breach Notifications to HHS
As we reported (here), the HITECH Act requires group health plans to notify the United States Department of Health and Human Services (HHS) when a breach of protected health information (PHI) has occurred. Please see our prior alert for a specific discussion regarding the meaning of “breach” and the circumstances in which such notifications are required.
HHS has posted forms on its website for use by covered entities when providing the required notifications. The website, including the form and instructions for completing the form, are at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
The website includes forms for both breaches affecting less than 500 individuals (which are reported at the end of the year) and breaches affecting 500 or more individuals (which are reported at the time of the breach). The forms are intended to be completed and submitted online.
Please contact us if you have any questions regarding these notifications, or if you need our assistance with preparing a notification to HHS.
__________________________________________________________________
The information contained in this ALERT is intended for general information purposes only and does not constitute legal advice relative to a specific situation.