Is That Security Incident a Reportable Breach? HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesSeveral times a month, on average, I get a question from a Premium Member or others who get a free question, such as our seminar and webinar attendees, as to whether a particular security incident is a reportable breach that must be reported to the Department of Health and Human Services (“DHHS”) or to the individual. The caller or writer gives me a short synopsis of the security incident and asks my opinion.

Almost universally, my answer is to have the person first fill out a security incident report and let me analyze it. The reason for this first step is that the report form is designed to identify and record all information concerning the possible breach. Failure to make a required report is willful neglect, which DHHS must formally investigate and which could result in a civil money penalty. Drafting this security incident report for your internal use here at the beginning meets that requirement under HIPAA. Also, submitting the security incident report straight to me avoids the delay inherent in asking me orally or by email, having me ask for the report form, and only then getting my response. Reports of reportable breaches must be made to DHHS within 180 days. So the sooner I receive your written security incident report and can analyze it, the better.

Remember that not every security incident is a breach, just as not every car is a Rolls Royce. Each security incident falls somewhere on a continuum from an oops to a breach due to willful neglect that has not been corrected. So this first step of drafting a security incident report begins the process of figuring out whether the security incident is a reportable breach or not.

If you have bought my HIPAA compliance library, you will find sample report and response policies on the HIPAA Documents Resource Center CD, 6th edition, which accompanies the Compliance Guide to HIPAA and the DHHS Regulations, 6th edition. The sample report policy includes sample report and response forms at the end of the policy. They are also available on the Sample HIPAA Policies and Procedures CD that accompanies my book The Complete HIPAA Policies and Procedures Guide. Also, my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, 2nd edition, includes not only everything that you need to know about breaches but also a sample HIPAA security incident report/response form as Appendix A. If you do not have access to those books and CDs and need a blank security incident report form, contact Alice McCart at

seo by: k.c. seo