Share this article on:
The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule places a strict time limit on issuing notifications to individuals whose protected health information has been exposed or impermissibly disclosed. The maximum time limit is 60 days from the date of discovery of the data breach, although notification letters should be sent “without unreasonable delay.”
In addition to sending notification letters to individuals affected by a data breach, the HIPAA Breach Notification Rule also requires the Secretary of the Department of Health and Human Services (HHS) to be notified about a data breach. The time limit for submitting that notification depends on the number of individuals affected by the data breach.
When a data breach has been experienced that affects 500 or more individuals, the Secretary of the HHS must also be notified “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” If all information is not known about the breach within 60 days, the breach should still be reported to the HHS, and it can be amended at a later date when more information is known.
When a data breach has affected fewer than 500 individuals, HIPAA-regulated entities have longer to report the breaches to the HHS. N.B. the time limit for individual notifications is still 60 days from the date of discovery of the breach, regardless of how many individuals have been affected.
The deadline for reporting breaches of the PHI of fewer than 500 individuals to the HHS is 60 days from the end of the calendar year in which the breach was discovered. That means all PHI breaches discovered in 2021 that involved the PHI of fewer than 500 individuals must be reported to the Secretary of the HHS no later than 11:59:59 p.m. on March 1, 2022. Each breach must be reported to the HHS separately via the breach reporting tool on the HHS website.
Many HIPAA-regulated entities will leave their breach reporting until close to the reporting deadline, so the breach reporting portal is likely to see high levels of traffic as the deadline approaches, which could potentially cause availability issues. It is therefore advisable to report any breaches well ahead of the breach reporting deadline.
You should bear in mind that several states have passed legislation covering the reporting of data breaches, and the time frame for reporting breaches may be shorter than those of the HIPAA Breach Notification Rule. In many cases, HIPAA-regulated entities are exempt from state breach notification laws provided they comply with the reporting requirements of HIPAA. If they are not compliant with the Breach Notification Rule, state attorneys general may decide to investigate, and civil monetary penalties could be imposed for violations of HIPAA or state laws.