The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 breach notification reports for incidents affecting fewer than 500 individuals within 60 days of the end of the calendar year, as permitted under 45 C.F.R. § 164.408(c).

While the previous version of the Breach Portal consisted of a single Web page where the user could input the information to be included in the report, the updated Breach Portal utilizes a “Wizard” format in which the user inputs information in successive stages. The Wizard also adapts to the information provided—for example, different information is required if the user indicates it is a business associate filing the report on behalf of a covered entity versus a covered entity filing on its own. The Wizard also includes expanded functionality, such as the ability to add expanded contact information for multiple covered entities or business associates.

But perhaps the most important changes involve the information required in the report. Unlike the previous version of the Breach Portal, a “Breach End Date” and a “Discovery End Date” are no longer optional and must be provided in order to submit the report. The updated Breach Portal also replaces the original options available for selection as “Safeguards in Place Prior to the Breach”—which formerly included 10 somewhat technical options: Firewalls, Packet Filtering (router-based), Secure Browser Sessions, Strong Authentication, Encrypted Wireless, Physical Security, Logical Access Control, Anti-Virus Software, Intrusion Detection, and Biometrics—with the following more general options:

  • None
  • Privacy Rule Safeguards (Training, Policies and Procedures, etc.)
  • Security Rule Administrative Safeguards (Risk Analysis, Risk Management, etc.)
  • Security Rule Physical Safeguards (Facility Access Controls, Workstation Security, etc.)
  • Security Rule Technical Safeguards (Access Controls, Transmission Security, etc.)

The updated Breach Portal also replaced the original options available for selection as “Actions Taken in Response to Breach”—which formerly included Security and/or Privacy Safeguards, Mitigation, Sanctions, Policies and Procedures, and “Other”—with 15 much more detailed options:

  • Adopted encryption technologies
  • Changed password / strengthened password requirements
  • Created a new/updated Security Rule Risk Management Plan
  • Implemented new technical safeguards
  • Implemented periodic technical and nontechnical evaluations
  • Improved physical security
  • Performed a new/updated Security Rule Risk Analysis
  • Provided business associate with additional training on HIPAA requirements
  • Provided individuals with free credit monitoring
  • Revised business associate contracts
  • Revised policies and procedures
  • Sanctioned workforce members involved (including termination)
  • Took steps to mitigate harm
  • Trained or retrained workforce members
  • Other (which, if selected, requires additional narrative explanation)

Given the detail required by the updated Breach Portal, a covered entity’s decision about which of these options to select when submitting a breach report could impact subsequent OCR investigations of reported incidents. These updates could also be viewed as an indication of the types of safeguards and corrective actions OCR expects to see in connection with breach reports.

As the March 2, 2015, 60-day deadline for reporting 2014 breaches affecting fewer than 500 individuals to HHS rapidly approaches, covered entities will need to carefully evaluate their breach report submissions in light of the recent Breach Portal updates. Failure to do so could trigger OCR investigations.

This blog post is a joint submission with BakerHostetler’s Health Law Update blog.