OCR Breach Reporting: 2013 “Small Breach” Report due Saturday and Recent Settlement for Lack of Breach Notification Procedures

Amy Leopard
Amy Leopard

Guest post by Amy Leopard, partner, Bradley Arant Boult Cummings in Nashville, Tenn.

Don’t forget that the end-of-the-year reporting of Health Insurance Portability and Accountability Act (HIPAA) breaches of unsecured protected health information (PHI) discovered in 2013 is due Saturday, March 1, 2014.

Healthcare providers and health plans that are covered entities under HIPAA must report breaches of unsecured PHI affecting fewer than 500 individuals annually to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). These small breaches should already have been reported to each of the affected individuals, and reports to the OCR should include the actions to mitigate and remediate any breaches, even those affecting a single individual. Reports to the OCR of large breaches (those affecting 500 or more individuals) are made at the time of reporting to the affected individuals—that is, without unreasonable delay and in no case greater than 60 days.

Covered entities may report small breaches electronically at the OCR’s website: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

Recent OCR Resolution Agreement

The reporting deadline comes on the heels of the most recent OCR resolution agreement with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts, which netted a $150,000 payment and corrective action plan. The resolution agreement settles potential HIPAA violations resulting from allegations that the practice failed to have breach notification procedures in place.

The OCR investigated the practice after an unencrypted thumb drive containing PHI of 2,200 individuals was reported stolen from a staff member’s car. Although the practice reported that the thumb drive did not include sensitive health information or financial information and that to its knowledge no PHI had been used, the OCR determined that the practice did not (1) conduct an accurate and through risk assessment as part of its security management process until over a year after the breach or (2) comply with the HIPAA requirement for written policies and procedures and training on breach notification requirements until four months after the breach occurred. The corrective action plan requires the practice to develop and submit to the OCR a risk analysis and management plan to address security risks and vulnerabilities.


The OCR continues to emphasize the critical need of having a thorough risk assessment updated regularly, including the need to address encryption of portable media.

This resolution further highlights the importance of having a written incident response plan in place, training staff to properly report incidents internally, and timely reporting any breaches of unsecured PHI to the OCR.

Write a Comment

Your email address will not be published. Required fields are marked *