Understanding HIPAA Serious Reportable Event Requirements

HIPAA Serious Reportable Events are serious occurrences that can have a significant impact on patient care and outcomes. These events are reportable to the Office for Civil Rights (OCR) and can result in significant fines and penalties.

A Serious Reportable Event is defined as an event that can cause serious harm to one or more patients. This can include events such as surgical events, such as wrong-site surgery, or medication errors that result in serious harm.

These events are reportable within 24 hours of discovery, and must be reported to the OCR. Failure to report a Serious Reportable Event can result in significant fines and penalties.

The OCR has established specific guidelines for reporting Serious Reportable Events, including the types of events that must be reported and the timeframe for reporting.

Explore further: Cupsleeve Event

A HIPAA reportable event is a breach of unsecured protected health information (PHI) that requires notification to the affected individuals, the HHS, and in some cases, local media.

Under HIPAA, a reportable event occurs when there's an unauthorized access, theft, loss, or disclosure of PHI, which can happen through various means, including cyberattacks.

Some examples of reportable events include unauthorized access of PHI by an employee, theft or loss of devices containing PHI, and unauthorized disclosure of PHI.

These events are considered reportable because PHI has been disclosed to unauthorized parties or there's a high likelihood it has.

To identify a reportable event, an organization should detect a security incident, conduct a risk assessment, determine if there are exceptions, and notify the necessary parties.

The four factors to consider in a risk assessment are the nature and extent of the PHI involved, the unauthorized party who used the PHI, whether PHI was acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

If a thorough, good-faith assessment of these factors fails to demonstrate a low probability that PHI was compromised, breach notification is required.

There are three exceptions to a reportable event, including unintentional acquisition, access, or use of PHI in good faith, inadvertent disclosure to an authorized person at the same organization, and the recipient of the PHI being unable to retain the information.

Broaden your view: Hipaa Access Control

Here are some examples of common incidents that are exceptions:

These incidents are considered exceptions because the risk of harm to the patient is low, and the PHI was not accessed or retained by unauthorized parties.

On the other hand, some incidents are reportable, such as:

These incidents are reportable because the patient had the PHI for a long enough time that the risk of harm is high.

Notification Requirements are a crucial part of HIPAA's Breach Notification Rule.

Covered Entities (CEs) must notify individuals, the Secretary of HHS, and media outlets in the event of a breach. The notification process involves several key steps, including discovery of the breach, risk assessment, and notification to affected individuals.

CEs must have procedures in place to identify when a breach has occurred. A breach is considered discovered as of the first day it is known or could have been reasonably known. Upon discovering a potential breach, CEs are responsible for conducting a risk assessment to determine if PHI has been compromised.

For more insights, see: Hipaa Security Risk Assessment Template

If the breach involves 500 or more individuals, CEs must notify each affected individual without unreasonable delay, and no later than 60 days after discovery of the breach. The notification should include details of the breach, types of information involved, and what the CE is doing to investigate and mitigate the breach.

CEs must also notify the HHS without unreasonable delay, and no later than 60 days after discovery of the breach. If the breach involves fewer than 500 individuals, CEs may report it to HHS on an annual basis within 60 days after the end of the calendar year in which the breach occurred.

If a breach affects 500 or more individuals in a specific jurisdiction or state, CEs must also notify prominent media outlets serving the state or jurisdiction.

Here's a summary of the notification requirements:

CEs must also maintain a log or other documentation of breaches of unsecured PHI, including breaches that involve fewer than 500 individuals. Business Associates (BAs) must notify CEs promptly if a breach of unsecured PHI occurs at or by the BA, so that the CE can fulfill its notification obligations.

A reportable event under HIPAA is a breach of unsecured protected health information, such as unauthorized access, theft, or loss of devices containing PHI, or unauthorized disclosure of PHI.

To identify a reportable event, an organization must detect a security incident through methods like cybersecurity tools, employee reports, risk assessments, or audits. Once a security incident is detected, a risk assessment should be conducted to consider the factors of the breach and how to address them in the future.

The organization must also determine if any exceptions apply, such as unexpected access, unintended disclosure, or inability to retain, which can be mitigating factors for reporting. If a breach is confirmed and no exceptions apply, it's considered a reportable event and the organization must follow the Breach Notification Rule to notify the affected individuals, the HHS, and in some cases, local media.

Here are the steps to identify a reportable event:

Non-reportable events, such as planned holds or safety issues that have already been approved by the IRB, should still be documented and referenced in the PI's study files for follow-up.

Identifying a reportable event under HIPAA involves recognizing a breach of unsecured protected health information (PHI). This can occur through various methods, such as cybersecurity tools, employee reports, risk assessments, vulnerability scans, or audits.

To identify a reportable event, an organization should conduct a risk assessment that considers the factors of the breach and how to address them in the future. This assessment should be documented and kept on file.

A reportable event can be caused by an unauthorized access of PHI by an employee, theft or loss of devices that contain PHI, unauthorized disclosure of PHI, or cyberattacks that lead to the exposure or potential exposure of PHI.

The organization should also consider the exceptions to the definition of a breach, which include unintentional acquisition or access of PHI by an employee working in good faith, inadvertent disclosure by an authorized person, or a good faith belief that the unauthorized person would not be able to retain the information.

Here are the steps to identify a reportable event:

Documenting Adverse Events is crucial, even if they're not reportable. You should document non-reportable events, referencing and retaining them in the PI's study files for follow-up.

The IRB will ask if you're documenting AEs, including non-reportable ones, at the time of Continuing Review. If you respond "No", you'll be prompted to attest that you'll use an AE log or similar documentation moving forward.

Non-reportable events should be documented, which means you'll need to keep track of them. This documentation can be done using an AE log or similar documentation.

Here are some key points to keep in mind when documenting non-reportable Adverse Events:

Reporting Requirements are a crucial part of HIPAA's breach notification process. You must notify affected individuals in writing via first-class mail or email without unreasonable delay and in no case later than 60 days following the discovery of a breach.

Notifications must include the following information: the date of the breach, a description of what happened, the types of PHI that were involved, and steps individuals can take to protect themselves.

Recommended read: Hipaa Security Breach Notification

Covered Entities must also notify the Secretary of Health and Human Services via electronic submission at the HHS website. If the breach affects 500 or more individuals, this notification must be made without unreasonable delay and in no case later than 60 days following the breach.

If the breach affects fewer than 500 individuals, the Covered Entity may notify HHS on an annual basis within 60 days after the end of the calendar year in which the breach occurred.

In addition to individual notice, a breach that affects 500 or more residents of a State or jurisdiction must provide notice to prominent media outlets serving the State or jurisdiction. This notice is often in the form of a press release and must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

Here are the key reporting requirements:

If a HIPAA security incident occurs, the covered entity or business associate must thoroughly document and investigate the incident.

Recommended read: Hipaa Incident Response Plan

The incident must be documented as soon as possible, and the investigation should be conducted promptly to determine the cause and scope of the breach.

A HIPAA security incident refers to an event that could potentially compromise the security or privacy of the Protected Health Information.

In the event of a breach, the organization must notify the HHS and follow additional requirements from the Breach Notification Rule where applicable.

To determine if a breach has occurred, the HHS describes a breach as "an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information."

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

Here are the key steps to follow in the event of a breach:

The deadline for reporting breaches affecting 500 individuals or less is quickly approaching, and organizations must report incidents by March 1, 2024, to the Secretary of the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR).