The HIPAA reporting requirements are often confused with the notification requirements following a breach of unsecured Protected Health Information (PHI). While it is important to be aware of – and comply with – the breach notification requirements, it is also important to be aware of what other HIPAA reporting requirements may apply to your organization.
Reporting requirements can be found throughout the HIPAA Administrative Simplification Regulations. In the order in which they appear, they start in Subpart C of the HIPAA General Provisions (§160.310) with compliance reporting. This often-overlooked standard requires covered entities and business associates to submit compliance reports to HHS’ Office for Civil Rights when the agency investigates a HIPAA complaint.
The standard does not stipulate what a compliance report should consist of because the content of each report should relate to the nature of the complaint being investigated. The relevant clause in the standard is that the compliance report should enable HHS’ Office for Civil Rights “to ascertain whether the covered entity or business associate has complied or is complying with the applicable administrative simplification provisions.”
Security Rule Reporting Requirements
The next time most covered entities and business associates are likely to encounter HIPAA reporting requirements are in the Security Rule. The Security Rule has several standards related to reporting, including:
- The requirement to implement procedures for reporting malicious software and for reporting failed log-in attempts (164.308(a)(5)).
- Incident reporting to explain how incidents were identified, how they were responded to, and what their outcomes were (164.308(a)(6)).
- Security incident reporting by business associates to covered entities or upstream business associates (164.314(a)(2)).
The first requirement does not specify whether reports must be generated by users or technology, but it is recommended to use both sources of information. For example, if a user identifies unusual activity on a workstation that may be attributable to malware, procedures should be in place for the user to report the unusual activity rather than rely on AV software to catch the malware.
With regards to the incident reporting requirements, these are important to retain for future risk analyses. This is because, although major security incidents may require the immediate implementation of safeguards to prevent them happening again, trends in minor security incidents can help an organization determine whether more technology or more HIPAA training is required.
The final HIPAA reporting requirement is probably the least complied with of all HIPAA standards. Business associates are required to report all security incidents regardless of whether they result in a data breach or not. While some “give notice” of unsuccessful security incidents in their Business Associate Agreements, others ignore this requirement despite the potential consequences.
The Breach Notification Requirements
The breach notification requirements occupy Subpart D of the Security and Privacy Provisions (§164.400 – §164.414). This Subpart defines a breach as “the acquisition, access, use, or disclosure of PHI in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the PHI” and lists the circumstances in which this definition does not apply.
Some covered entities and business associates could benefit from reading these circumstances again because a substantial number of data breaches that appear on HHS’ Data Breach Report do not fulfil the reporting criteria of the HIPAA Breach Notification Rule – thus wasting the resources of HHS’ Office for Civil Rights, whose time could be better spent pursuing serial violators.
With regards to the actual breach notification requirements, these are covered in depth elsewhere on this site, along with details of what information breach notifications should include and the penalties for failing to provide breach notifications or for failing to provide breach notification within the time allowed by the HIPAA Breach Notification Rule.
Privacy Rule Reporting Requirements
There are two important HIPAA reporting requirements in the Privacy Rule. The first of these – the requirement for business associates to report uses and disclosures of PHI “not provided for by a Business Associate Agreement” – is possibly the second least complied with of all HIPAA standards because it is often interpreted to mean uses and disclosures of PHI not permitted by the Privacy Rule.
Unlike the similar Security Rule standard referenced earlier, there are no opportunities to circumnavigate this reporting requirement by giving prior notice of impermissible uses and disclosures; and, like the similar Security Rule standard referenced earlier, the failure to comply with this requirement (§164.502(e)(2)(ii)(C)) could be an indicator of other areas of non-compliance.
The second of the HIPAA reporting requirements in the Privacy Rule relates to a patient’s right to request an accounting of disclosures (§164.528). It is important to note this requirement can apply to a business associate when the business associate maintains a patient’s PHI in a different designated record set with different identifying information than maintained by a covered entity.
Other HIPAA Reporting Requirements
Although there are no other specific HIPAA reporting requirements, there are a number of occasions when federal or state reporting requirements preempt HIPAA’s restrictions on uses and disclosures of PHI. Some are listed in the HIPAA Administrative Simplification Regulations and include, but are not limited to, when a healthcare organization is required to report:
- Adverse reactions to an FDA-regulated product,
- Workplace-acquired illnesses to employers,
- Injuries attributable to gunshot wounds,
- Certain types of infectious diseases,
- Elder/child abuse or neglect, or
- Domestic violence.
It is not always the case that reports of this nature are required by law. In certain circumstances, HIPAA allows healthcare providers to use their professional judgement to disclose PHI to public health or law enforcement agencies in order to reduce the risk of self-harm or harm to others. If you are a healthcare provider and you are unsure about these circumstances, or need more information about the HIPAA reporting requirements, do not hesitate to seek professional compliance advice.