HIPAA Breach Notification Rule, continued

This version of the course is no longer available.
Need multiple seats for your university or lab? Get a quote
The page below is a sample from the LabCE course HIPAA Privacy and Security Rules (to be retired 12/31/2020). Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules (to be retired 12/31/2020) (online CE course)
HIPAA Breach Notification Rule, continued

The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI. Business associates, if they are acting as agents of the covered entity, must notify the covered entity as soon as possible after the discovery and no later than 60 days following the discovery of a breach.
The covered entity is then required to notify HHS of the breach within a certain allotted time, which is determined according to when the business associate (if acting as an agent of the covered entity) discovered the breach.
There are differences in reporting based on the number of affected individuals:
Covered entities are required to notify HHS immediately of any breach affecting more than 500 individuals. The term "immediately" is interpreted by 45 CFR Part 164 as, "without unreasonable delay but in no case later than 60 calendar days following discovery of a breach." For example, if a breach affecting more than 500 individuals occurred on December 5, 2018 and was discovered on January 1, 2019, the covered entity would have until March 1, 2019 (60 calendar days) to report the breach to HHS.
Covered entities must notify HHS of each breach affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breach was discovered (not when the breach occurred). For example, if a breach affecting fewer than 500 individuals occurred on December 5, 2018 and was discovered on January 1, 2019, the covered entity would have until March 1, 2020 (60 days after the end of the calendar year in which the breach was discovered) to report the breach to HHS.
It is very important that business associate contracts cover how and when the business associate will notify the covered entity of a suspected breach.