Share this article on:
The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching.
HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year.
The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018.
A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,” such as encryption. A breach of encrypted PHI is not reportable unless the key to unlock the encryption is also reasonably believed to have also been compromised.
Covered entities should be aware that ransomware incidents are usually reportable HIPAA data breaches, even if PHI has not been stolen in the attack. To avoid reporting a ransomware incident, a covered entity must be able to demonstrate a low probability of PHI being compromised in the attack. That determination must be based on a risk assessment (See 45 CFR § 164.402)
While covered entities can submit details of all ‘small’ PHI breaches at the same time, each breach must be reported as a separate event. They can not all be uploaded to the breach portal together.
While the HIPAA Breach Notification Rule allows covered entities additional time to report data breaches impacting fewer than 500 individuals, notifications for individuals impacted by those data breaches cannot be delayed. They must be issued within 60 days of the discovery of the breach, and without unnecessary delay, regardless how many individuals have been impacted by the breach.
It is a good best practice to report all breaches of PHI within 60 days of discovery. Oftentimes, full information about the breach is not available at the time of reporting, but it is possible to add further information to the OCR data breach reports when further information becomes available. If the number of individuals affected by the breach has not been confirmed, estimates should be provided. The final total can then be submitted to OCR as an update to the breach report when the number of individuals impacting has been determined.
The penalties for the late reporting of data breaches can be severe, and OCR made it clear in January 2017 that ignoring the deadline for reporting breaches, or unnecessarily delaying breach reports, is a HIPAA violation that will not be ignored. Presense Health became the first covered entity to be fined solely for delaying breach notifications and settled the HIPAA violation with OCR for $475,000.
OCR has yet to issue a financial penalty to a covered entity for the late reporting of small data breaches, but since OCR tends to set examples with its breach settlements, 2018 could well see the first penalty issued.
To avoid a HIPAA penalty, ensure all small breaches of PHI are reported to OCR between now and the end of February 2018 and no later than midnight on March 1.