Do you understand how and when to report a HIPAA related data breach?

In Part Two of a two-part series, Sarah Badahman, owner of HIPAAtrek, appeared on TNtv to discuss the importance of accurate reporting once a HIPAA related incident has occurred.

Rules for HIPAA Violations by Populaton Size

She said there are two sets of rules. One for breaches involving less than 500 individuals and one for those exceeding 500.

When 500 or less are involved, the breach must be reported to the Office for Civil Rights (OCR) on their website at A portal has been set up for this purpose. The breach should be reported by the end of the calendar year.

All of the impacted individuals should be notified of what type of breach occurred, how it occurred and what steps are being taken to protect their information.

For larger breaches, similar to the one that occurred at Anthem, the incident should still be reported to OCR but needs to be done so in a shorter period of time. In Missouri it should be reported within 60 days of its occurrence.

In the larger case, a four factor risk assessment should be performed. This includes a thorough risk analysis around the incident and the development of a complete mitigation plan.

Mitigating a HIPAA Breach

The mitigation plan should include a list of dates and tasks, and who will accomplish them. Each should be documented. The goal is to have all matters in writing should the OCR decide to conduct an investigation.

In all cases, the media needs to be notified. The company should make a public acknowledgement of the breach and post it on their website. Individuals impacted by the incident should also be contacted.

In larger cases a company may wish to create a security incident response team. A toll free number should be generated so the team can field questions from the affected parties.

Business associates of the company where the breach occurred must follow the same rules as if they were the primary holder the data. This includes attorneys, consultants and related vendors. A business agreement should be written between the healthcare facility and the related parties as to how any potential breach will be handled and reported.

If investigated, companies not in compliance are likely to face a fine. Investigators can levy fines based on lack of awareness or lack of action to address the problem.

Companies dealing with sensitive data should analyze all aspects of their network, hardware and software. Security policies and procedures should be created and implemented. An IT firm can assist in this process.

Badahman indicated it is not a matter of “if” a breach will occur but “when”.

HIPAAtrek can create, implement and manage a customized HIPAA compliance program for each individual business dealing with sensitive data.

For more information contact HIPAAtrek at 618-334-1474 or