Although a data breach only needs to be reported for healthcare organizations if financial harm results, it is irresponsible for a healthcare organization to ignore a breach of their customer’s private health information.  If the health information can be tied in any way to the individual, ethical responsibility to your customer should motivate reporting of the data breach and notification to the proper authorities.

For official reporting to the U.S. Department of Health & Human services, there are two different reporting groups.  For data breach of under 500 individuals and for any breach greater than 500.  Many healthcare providers are hesitant to report the data breach officially to HHS as the new requirements under the HITECH Act also state that a breach over 500 individuals will be posted on the HHS website.  It seems virtually impossible that no data breach has occurred yet there are no organizations reported on the HHS website that I have found yet. As seen here

Reporting a breach to HHS is relatively simple as it is an online form that does not require much technical knowledge or submission of any technical data or proof of the breach.  Network Forensics can be extremely complicated for the novice user and the breach will most certainly be physically obvious for most of the initial cases reported until healthcare data security is audited more carefully than it is today.  See the form for reporting a notice to the Secretary of HHS here.

It is also a good idea to report any security incident even if it is not required by the terms set forth by the HHS to the US-CERT.  Incidents reported here are inclusive of just more than a breach causing financial harm and should be completed even if a computer virus outbreak is detected at a provider.  The reporting form at the US-CERT is also simple to complete and does not require any major technical forensics knowledge.  To see the form for reporting general network and data incidents to US-CERT click here.

As for notification to your patients, unless financial harm is shown, HIPAA does not require healthcare organizations to report the incident to the individuals, but should you?  Most definitely!  Most states already have reporting requirements for data breaches of personally identifiable information and it is simply the responsible and ethical choice for any provider wishing to maintain any level of trust with their patients and clients.  To see a sample letter written by the FTC for notification of a data breach, visit their website.

AMENDMENT:  Since this was written, the HHS website now has posted providers they are aware of where more than 500 records were breached.