March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches
The deadline for reporting 2018 data breaches of fewer than 500 records is fast approaching. HIPAA covered entities and their business associates must ensure that the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified of all 2018 data breaches of fewer than 500 records before March 1, 2019.
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. The deadline for reporting small healthcare data breaches is 60 days from the end of the calendar year in which the breach was experienced.
If it is not possible to determine how many individuals have been affected by a data breach, or if the breach investigation has not been concluded before the 60-day deadline, an interim breach report should be submitted. The breach report can then be updated as and when further information becomes available.
If a data breach is not reported within the 60-day reporting window, OCR can issue a financial penalty for noncompliance. While fines for HIPAA violations are typically reserved for particularly egregious cases of noncompliance and extensive HIPAA failures, OCR has taken action against healthcare organizations for breach notification failures in the past.
In January 2017, OCR issued its first fine solely for a HIPAA Breach Notification Rule violation. Presense Health experienced a data breach in 2013 that affected 836 patients. Operating schedules had been removed from its Joliet, IL, surgery center and could not be located. Presence Health learned of the breach on October 22, 2013 but did not send notifications to patients for 101 days – 31 days later than the reporting deadline. OCR was notified 36 days after the deadline had passed. Presence Health agreed to settle the case with OCR for $475,000.