A breach is defined as an impermissible use or disclosure of Protected Health Information (PHI). A covered entity must notify the Secretary of the Department of Health and Human Services (DHHS) if it discovers a breach of unsecured protected health information. However, before you report anything, contact Aris so we can guide you through the process.
A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below.
If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum.
If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically and complete all of the required fields of the breach notification form. Some state laws are more stringent on the timeline. For example, Florida only allows 30 days for notification, and you must also notify the State Attorney General.
If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically and complete all of the fields of the breach notification form.
Step 2 Security Incident Procedures and Breach Notification Plan contains all the information you need. Use the Security Incident Report – Breach Notification Report to document any occurrences.
Security Incidents must be documented. After completing the Security Incident Report, be sure to upload to the system under the Uploads tab in your Profile Page. Click “Add New”, using the dropdown menu, select Security Incident Reports. When naming your files be sure to start with the Year, then month and date. This will ensure your reports are in chronological order.
For example: 230601 Security Incident - misdirected fax
Regular network security scans and associated result reports will help you with your documentation. These reports can be added under Uploads on your Profile page. Click “Add New”, using the dropdown menu, select IT Reports. When naming your files be sure to start with the Year, then month and date. This will ensure your reports are in chronological order.
For example: 230601 Network Audit or 230601 Computer status reports.
Our platform doesn’t protect you from data breaches, but it will help you to respond appropriately if an unfortunate data breach even occurs. Proper documentation can save you from fines and penalties.
