The deadline for reporting HIPAA breaches is 60 days from the end of the calendar year for Covered Entities (CEs) that have had breaches in unsecured protected health information (PHI). The ruling here applies to CEs that have had breaches that affected fewer than 500 individuals, whereas larger breaches must be reported within 60 days of the breach itself. With that 60 day deadline falling on February 29th, it’s quickly becoming time for organizations to begin their annual reporting process.
HHS has a dedicated site that CEs can visit to report these breaches, and we’ve included some information below to help get you up to speed about what HHS is looking for, and to whom this deadline applies.
Who Needs to Report?
HHS defines a CE as any health plan, healthcare clearinghouse, or healthcare provider that transmits “any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” This includes, for the most part, all doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that handle PHI. If an organization has had a data breach in 2015, and they meet any of the above requirements, they should visit HHS’ site to report it before February 29th.
What Needs to be Reported and When?
HHS has a few requirements that determine what should be reported and when. Typically, it’s decided by the number of individuals who were affected by a given breach.
- Individuals affected by a breach should be notified within 60 days of the discovery of the breach.
- CEs must document breaches of fewer than 500 individuals’ unsecured PHI and report them to HHS annually. This annual report needs to be given to HHS within 60 days of the end of the previous calendar year–this is the deadline that’s approaching on February 29th.
- CEs must document breaches of greater than 500 individuals’ unsecured PHI and report them to HHS within 60 days of the discovery of the breach. State media outlets need to be notified as well if the breach has affected 500 or more residents of a single state no later than 60 days of the discovery of the breach as well.