HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Small Healthcare Data Breach Notification Deadline: March 1, 2017

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights.

While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the reporting of smaller data breaches.

While patients must be notified of any breach of their ePHI within 60 days – regardless of the number of individuals affected by the breach – notifications of security incidents are not required by OCR until 60 days after the end of the calendar year in which the data breaches were discovered.

The deadline for reporting 2016 healthcare data breaches impacting fewer than 500 individuals is March 1, 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As with larger data breaches, all smaller incidents must be submitted via the OCR breach reporting tool. While smaller data breaches can be reported together, each breach must be entered into the breach reporting tool separately along with any supporting information.

Even if the full details of the breach are not yet known, covered entities should submit the reports before the March 1 deadline. An addendum can be added to the breach report when further information becomes available.

It is strongly advisable to designate the reporting of breaches to one individual and for the process of uploading the breach reports to start as soon as possible. Covered entities should not wait until February 28 or March 1 to upload their breach reports. The late reporting of healthcare data breaches would be a violation of the HIPAA Breach Notification Rule, and as we have already seen this year, fines for late breach notifications can be – and are – issued.

In January, OCR took action against Presense Health Network for unnecessarily delaying the issuing of breach notification letters to patients. Presense Health was required to pay OCR $475,000 to settle the case.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.