Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records
The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408.
That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020.
All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year, reporting the breaches can take some time. It is therefore advisable not to leave the reporting of data breaches to the last minute to ensure the deadline is not missed. If data breaches are reported later than the 60-day deadline, financial penalties can be imposed.
If a breach has been experienced and the number of individuals affected by the breach has not yet been determined, the breach report should include an estimate of the number of people affected. It is not permissible to delay reporting the breach. When the actual number of affected individuals is known, an addendum can be submitted. Addenda should also be used to update breach reports when further information about the breach becomes available.