Hopefully, you’ve been keeping a list of your minor breaches that occurred in 2021 because now is the time to report them to the Department of Health and Human Services. As the 2022 HIPAA breach notification rule deadline approaches, it is important that you know the deadline and understand what incidents need to be reported.
When is the 2022 HIPAA Breach Notification Rule Deadline?
When is the 2022 HIPAA Breach Notification Rule deadline? Well, that depends on how many patients were affected by the breach in question. If your organization experienced a breach that affected 500 or more patients, it should have been reported within sixty days of discovery. Failure to do so is a HIPAA violation subject to costly penalties.
If however, the breach (or multiple breaches) affected less than 500 patients, it must be reported by March 1st of the following year to the Department of Health and Human Services. So, the deadline to report 2021 small-scale breaches is March 1, 2022.
In either case, breach notification letters should have been mailed to patients within sixty days of discovering the breach. If ten or more patients could not be contacted by mail, the breach notice must also be posted on your website for ninety days.
What Types of Incidents Need to be Reported?
While you probably already know that hacking incidents need to be reported, several other types of incidents constitute a reportable breach. The HIPAA regulation defines a breach as any incident that has the potential to compromise the confidentiality, integrity, or availability of protected health information (PHI).
Reportable breaches include:
- Hacking or IT incidents: when an unauthorized entity gains access to your network server, email, EMR/EHR, desktop, laptop, or other portable electronic devices.
- Unauthorized access or disclosure of PHI: when PHI is accessed or disclosed inappropriately by employees or unauthorized individuals. This can occur through paper/films, EMR/EHR, or email.
- Theft or loss of an unencrypted device with access to PHI: when an unencrypted electronic device containing PHI is lost or stolen. This includes desktop computers, laptops, tablets, mobile phones, or other portable electronic devices with the potential to access PHI.
- Improper disposal of medical records: when paper or electronic records are disposed of in a way that leaves them susceptible to unauthorized access. Paper records must be shredded, burned, pulped, or pulverized, rendering PHI unreadable and unable to be reconstructed. Electronic devices must be purged, cleared, or destroyed.
For more information on breach reporting, please click here.
We Offer Breach Support
As a Compliancy Group client, we have your back if you are breached. If you experience an incident, we will help you determine whether or not it is a reportable incident. If the incident is subject to breach reporting, we will be with you every step of the way to make sure the breach is reported to the appropriate parties in the timeframe required by the HHS. Find out more about how we can help!
