in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Breach Notification: About 30 Days Left To Notify HHS/OCR On Breaches Affecting Less Than 500

One of the advantages of using encryption software, if you're in the healthcare field, is that the loss of cryptographically secured sensitive data is given protection from HIPAA/HITECH's Breach Notification Rules.  If not encrypted, you must notify the HHS's Office for Civil Rights within 60 business days of discovering the data breach.  However, there is one caveat: if the number of people affected by the data breach is less than 500, it is not necessary to do so.

Collate Before Sending

This is not to say that HIPAA covered entities don't need to report such data breaches.  Rather, they don't need to report the breaches within the specified 60 business days.  Instead, covered entities are supposed to keep a log of all incidents affecting less than 500 patients and send one package at the end of the year.

This, among other things, is meant to keep the HHS/OCR from being inundated by too many incidents, and allow them to focus on those issues that require "immediate" attention.

And past government reports justify the approach: while the "Wall of Shame" at the HHS/OCR website lists a little over 1,000 breaches since it began tracking (since 2009) instances where more than 500 people were affected, reports show that tens of thousands of covered entities have sent in breach reports in the same period if you include breaches involving less people.

Deadline is Coming Soon

So, by when does one need to notify the HHS/OCR about incidents covering less than 500 PHI?
By the end of the second month of the year after.  Weird, right?

I guess an example would illustrate what that means: if you had a data breach, that involves less than 500 people, at any time in 2014, you need to notify OCR by the end of February 2015.  In other words, before the next month is over.

Related Articles and Sites:
http://hipaablog.blogspot.com/2015/01/reporting-breaches-of-less-than-500.html
 
<Previous Next>

HIPAA Breach: Burglaries Happen

HIPAA Laptop Encryption: Riverside County Regional Medical Center Loses Laptop

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.