HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Reporting Deadline for 2014 HIPAA Breach Reports

The deadline for reporting security breaches (involving fewer than 500 individuals) from 2014 is in a little over three weeks. Any healthcare provider or other covered entity that has not submitted all 2014 breach reports must ensure they have all been filed – and are updated – via the HHS website portal by the March 2, 2015 deadline.

All organizations covered by the Health Insurance Portability and Accountability Act are required to report breaches affecting more than 500 individuals within 60 days of the discovery of the breach according to HIPAA Breach Notification Rules. The Office for Civil Rights must be informed, while all individuals affected by the breach also need to be notified to allow them to take the necessary steps to mitigate any damage caused.

Covered entities are also required to report breaches affecting fewer than 500 individuals to the Department of Health and Human Services, although the breach reports only need to be submitted once per year. A failure to submit a breach report – or submitting inaccurate breach reports – is a violation of the HIPAA Breach Notification Rule, and could see the OCR issue a fine for non-compliance or may trigger a full HIPAA compliance audit.

Web Portal Changes

Recent updates to the HHS breach reporting portal included a change to the format – a new wizard has been installed – and amendments to the information which must be provided to the OCR about data breaches. More detailed information needs to be submitted covering the actions that have been taken in response to breaches. The change of system so close to the reporting deadline may put some healthcare providers under pressure if they do not have all the required information in their breach logs.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Reporting Best Practices

Now is a good time to put policies in place covering future breach reports and to incorporate the recent changes to the breach reporting portal into procedures. The HHS does not stipulate when small breach reports should be made – other than providing an annual deadline – but a good best practice is to file breach reports as soon as the preliminary investigations have been completed.

Further information can be added as addenda – such as the actions taken to address security vulnerabilities identified by the breach. A final check of submitted breach reports can then take place as the deadline approaches. This ensures all information required by the OCR is obtained and provided at a time when it is easiest to collect.

The change to the web portal should serve as a reminder to HIPAA-covered organizations that the OCR is looking closely at all data breaches, not just those affecting thousands of individuals. The additional detail required for small breach reports suggests they are now being scrutinized and that the OCR is looking closely at risk management strategies that have been implemented in response to breaches to address all security vulnerabilities that they expose.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.