Small Healthcare Data Breach Notification Deadline: March 1, 2017

Share this article on:

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights.

While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the reporting of smaller data breaches.

While patients must be notified of any breach of their ePHI within 60 days – regardless of the number of individuals affected by the breach – notifications of security incidents are not required by OCR until 60 days after the end of the calendar year in which the data breaches were discovered.

The deadline for reporting 2016 healthcare data breaches impacting fewer than 500 individuals is March 1, 2017.

As with larger data breaches, all smaller incidents must be submitted via the OCR breach reporting tool. While smaller data breaches can be reported together, each breach must be entered into the breach reporting tool separately along with any supporting information.

Even if the full details of the breach are not yet known, covered entities should submit the reports before the March 1 deadline. An addendum can be added to the breach report when further information becomes available.

It is strongly advisable to designate the reporting of breaches to one individual and for the process of uploading the breach reports to start as soon as possible. Covered entities should not wait until February 28 or March 1 to upload their breach reports. The late reporting of healthcare data breaches would be a violation of the HIPAA Breach Notification Rule, and as we have already seen this year, fines for late breach notifications can be – and are – issued.

In January, OCR took action against Presense Health Network for unnecessarily delaying the issuing of breach notification letters to patients. Presense Health was required to pay OCR $475,000 to settle the case.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On