The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.”
The online form is straightforward, featuring pull-down options tied to the new HITECH rules: it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc. OCR estimates the form will take 15-30 minutes to complete.
Interestingly, the form does not require a statement on penalty of perjury from the submitting party, only a statement that “I attest, to the best of my knowledge, that the above information is accurate.” This could be seen to be an attempt to encourage reporting, by not saddling breach reporters with potential liability for making false statements to the government. However, it would also seem to encourage anonymous reporting, via the use of an alias.