Yearly Breach Notification Deadline Approaching
Each year healthcare organizations must report breaches affecting less than 500 patients to the Department of Health and Human Services (HHS) within 60 days from the end of the calendar year in which the breach occurred. This means that smaller scale breaches that occurred in any given year must be reported by March 1st the following year to the HHS — or February 29th in a leap year.
To provide healthcare organizations guidance on how to comply with the HIPAA Breach Notification Rule, and the breach notification deadline are discussed below.
What Is Considered a Breach Under HIPAA?
Under HIPAA, a breach is an incident that has the potential to compromise protected health information (PHI). This includes hacking incidents, unauthorized access to PHI (whether it be an outside party, or a member of your workforce accessing PHI without cause), theft or loss of an unencrypted device with access to PHI, or improper disposal of medical records.
Are There Breaches That Need to Be Reported Before March 1st?
The breach notification deadline only applies to breaches affecting less than 500 patients. Larger breaches, affecting 500 or more patients, must be reported no later than 60 days after discovery.
How Do I Report a Breach to the HHS?
To submit a breach report, you simply go to the HHS breach portal. In the breach portal, you will be asked a series of questions including, if you are a covered entity or business associate, how many patients were affected by the breach, when the breach occurred, what type of breach occurred, etc.
If you are reporting a breach affecting 500 or more patients, upon receipt of your submission, the breach will be listed on the Office for Civil Rights (OCR) website for public view.
Do I Need to Report the Breach to Anyone Else?
In addition to reporting a breach to HHS’ OCR, you must also inform patients of the breach. You must inform patients in writing by mail within 60 days of the breach. The breach must also be available on your website for 90 days should ten or more patients be unreachable by mail. If the breach affected 500 or more patients, you must also report it to local media outlets. However, if the breach was widespread (affecting patients in multiple locations) the breach notice must be available to nationwide media outlets.
What Must Be In a Breach Notification Letter?
Breach notification letters must include, to the extent possible, the following information:
- A brief description of the breach;
- A description of the types of information that were involved in the breach;
- The steps affected individuals should take to protect themselves from potential harm;
- A brief description of what the breached entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and
- Contact information for the breached entity.
Fines for Failing to Meet the Breach Notification Deadline
In the past, there have been several organizations fined by both federal and state governments for their failure to comply with the breach notification deadline. Some states have stricter reporting requirements than what is dictated by the HHS. In these cases, healthcare organizations must comply with the stricter breach notification law.
- UCLA Health, fined $7.5 million
- Touchstone Medical Imaging, fined $3 million
- Jackson Health System, fined $2.154
- Presence Health, fined $475,000
- CoPilot Provider Support Services, fined $130,000
While some of the listed organizations also committed other HIPAA violations, they were also penalized for their untimely breach notification reporting.
