HHS Publishes Fact Sheet on HIPAA Privacy, Security and Breach Notification

Working in conjunction with CMS, the Office of Civil Rights (OCR) published a fact sheet on HIPAA Privacy, Security, and Breach Notification Rules. The fact sheet provides general information for HIPAA covered entities, which as noted on the first page of the fact sheet includes business associates of covered entities.  This information is part of the training materials available on the OCR website, including educational programs for providers that may be utilized as Continuing Medical Education credits.

Providers and business associates may want to particularly take note of the timeline for breach notification- in the fact sheet OCR provides a table detailing the requirements of covered entities when a breach occurs.  Individuals must be notified of a breach within 60 days of discovery of the breach regardless of how many individuals are effected by the breach.  This timeline highlights the importance of covered entities having policies and procedures in place to deal with a breach, as “discovery” of a breach is defined in the HITECH Act as the first day on which such breach is known to any person, other than the individual committing the breach, that is an employee, officer, or other agent of the covered entity or business associate or should reasonably have been known to such entity or associate (or person) to have occurred.

Speak Your Mind