Under the stimulus law, HIPAA-covered entities and their contractors are required to report to HHS immediately if a breach involves the records of 500 or more individuals.
HHS, in turn, is required to keep records of these notices and publish a list of the providers or business associates that reported these larger breaches.
In addition, providers and business associates are to report annually any lesser breaches to HHS, which is obliged each year to make a report to Congress on the breach notification law.
Last August, HHS issued an interim final rule on the workings of the breach notification provisions of the stimulus law. The rule went into effect in September.
A copy of the form approved by the federal Office for Management and Budget for use by providers and covered entities in reporting breaches is posted on the HHS Web site.
The HHS breach rule requires breaches affecting 500 or more people to be reported to HHS “contemporaneously” with notice to the individual involved, that is, “without unreasonable delay and in no case later than 60 calendar days after a covered entity discovers a breach,” according to the ONC announcement, which was officially published Tuesday in the Federal Register. A 40-day public comment period on the notice runs from that date.
The HHS Web site where breaches involving the records of 500 or more individuals is already up and busy, with 59 healthcare organizations' notices posted between July 8, 2009, through March 9, 2010. The largest breach reported to the list was by Blue Cross and Blue Shield of Tennessee with 500,000 persons affected. The Blues plan reported eariler this month it had upped the number of impacted individuals more than 998,000.