2021 Breach Notification Deadline Approaching

Each year healthcare organizations must report breaches affecting less than 500 patients to the Department of Health and Human Services (HHS) within 60 days from the end of the calendar year in which the breach occurred. This means that smaller scale breaches that occurred in 2020 must be reported by March 1, 2021 to the HHS. To provide healthcare organizations guidance on how to comply with the HIPAA Breach Notification Rule, the 2021 breach notification deadline is discussed below.

What Is Considered a Breach Under HIPAA?

Under HIPAA, a breach is an incident that has the potential to compromise protected health information (PHI). This includes hacking incidents, unauthorized access to PHI (whether it be an outside party, or a member of your workforce accessing PHI without cause), theft or loss of an unencrypted device with access to PHI, or improper disposal of medical records.

Are There Breaches That Need to Be Reported Before March 1st?

The breach notification deadline only applies to breaches affecting less than 500 patients. Larger breaches, affecting 500 or more patients, must be reported no later than 60 days after discovery.

0
0
0
0
Days
0
0
Hours
0
0
Minutes
0
0
Seconds

How Do I Report a Breach to the HHS?

To submit a breach report, you simply go to the HHS breach portal. In the breach portal, you will be asked a series of questions including if you are a covered entity or business associate, how many patients were affected by the breach, when the breach occurred, what type of breach occurred, etc. (for a full list of the questions you will need to answer when reporting a PHI breach, please click here).

Breach Notification Deadline

If you are reporting a breach affecting 500 or more patients, upon receipt of your submission, the breach will be listed on the Office for Civil Rights (OCR) website for public view.

Do I Need to Report the Breach to Anyone Else?

In addition to reporting a breach to HHS’ OCR, you must also inform patients of the breach. You must inform patients in writing by mail within 60 days of the breach. The breach must also be available on your website for 90 days should ten or more patients be unreachable by mail. If the breach affected 500 or more patients, you must also report it to local media outlets. However, if the breach was widespread (affecting patients in multiple locations) the breach notice must be available to nationwide media outlets.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance