The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Small Healthcare Data Breach Notification Deadline: March 1, 2017

Posted By on Feb 23, 2017

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights.

While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the reporting of smaller data breaches.

While patients must be notified of any breach of their ePHI within 60 days – regardless of the number of individuals affected by the breach – notifications of security incidents are not required by OCR until 60 days after the end of the calendar year in which the data breaches were discovered.

The deadline for reporting 2016 healthcare data breaches impacting fewer than 500 individuals is March 1, 2017.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

As with larger data breaches, all smaller incidents must be submitted via the OCR breach reporting tool. While smaller data breaches can be reported together, each breach must be entered into the breach reporting tool separately along with any supporting information.

Even if the full details of the breach are not yet known, covered entities should submit the reports before the March 1 deadline. An addendum can be added to the breach report when further information becomes available.

It is strongly advisable to designate the reporting of breaches to one individual and for the process of uploading the breach reports to start as soon as possible. Covered entities should not wait until February 28 or March 1 to upload their breach reports. The late reporting of healthcare data breaches would be a violation of the HIPAA Breach Notification Rule, and as we have already seen this year, fines for late breach notifications can be – and are – issued.

In January, OCR took action against Presense Health Network for unnecessarily delaying the issuing of breach notification letters to patients. Presense Health was required to pay OCR $475,000 to settle the case.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist