HHS Puts Out HIPAA Security Breach Reporting Guidance

May 6, 2005 (PLANSPONSOR.com) - Federal regulators have released new guidance about the requirements that plan sponsors and business associates report breaches of security covering patient medical information.

>The guidance, from the Centers for Medicare and Medicaid Services in the US Department of Health and Human Services (HHS), dealt with the strict security and confidentiality regulations passed as part of the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ).

>The guidance was prompted by concerns from health-care providers, providers’ business associates, and plan sponsors that HIPAA’s obligation to monitor and report security incidents could be overwhelming because of the breadth of the definition of “security incident” for HIPAA purposes and limited guidance on the scope of HIPAA’s security breach reporting requirements.

>The new HHS guidance said that a business associate contract and an employer’s plan documents could be the place to put down on paper the specific security incident reporting requirements and should be developed to meet the affected group health plan’s specific needs.

>According to regulators, issues that might be considered in developing the business associate contract or the plan amendment include:

  • what specific actions would be considered security incidents
  • how security incidents should be documented and reported
  • what information should be included in reports
  • how often security incidents should be reported
  • the appropriate responses to certain security incidents
  • whether identifying patterns of attempted security incidents is reasonable and appropriate.

Both contracts with health-care providers’ business associates and the plan documents of member employers must specify that all security breaches must be reported, HHS said.

The HHS Q&As include:

  • Requirements that health providers’ business associates report HIPAA security breaches is  here .
  • A health provider’s security obligations is  here .
  • Whether plan sponsors must report security incidents to a group health plan is  here .

>General information about HIPAA and its requirements is at  http://www.hhs.gov/ocr/hipaa/ .