HIPAA Breach Notification Form

You may have been hearing a lot about HIPAA breach notification reporting lately and for a good reason. The deadline to report small-scale breaches to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is March 1st. When reporting breaches to the HHS OCR, they require you to submit a HIPAA Breach Notification Form. 

Before completing the form, it is important to understand what types of incidents are reportable, which breaches are required to be reported by March 1st, and what information you will need to complete the HIPAA Breach Notification Form.

What Types of Incidents Are Reportable?

Not all incidents are considered reportable breaches. The HIPAA regulation only requires reporting of unsecure protected health information (PHI). For example, a laptop with access to electronic PHI is stolen, but the laptop is encrypted to prevent unauthorized access. This is not a reportable breach since the ePHI on the device is inaccessible. 

There are several incidents that are reportable, however, including:

  • Hacking or IT incidents
  • Unauthorized access or disclosure of PHI
  • Theft or loss of an unencrypted device with access to ePHI
  • Improper disposal of medical records

Since all of the incidents mentioned above can lead to PHI access by an unauthorized party, they are all reportable under the HIPAA Breach Notification Rule.

Let’s Simplify Compliance

Do you need help with breach reporting? We can help!

Learn More!
HIPAA Seal of Compliance

Which Breaches Are Required to be Reported by March 1st?

Breach reporting requirements differ depending on how many patients were affected by the incident. Breaches that affected 500 or more patients should have been reported within 60 days of discovering the incident to the HHS. All smaller breaches that affected less than 500 patients, and occurred in 2021, must be reported to the HHS by March 1, 2022.

The HHS states on their site, “The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link.”

However, regardless of the size of the breach, affected patients must be informed of the incident within 60 days of discovery. Patients must be mailed breach notification letters that discuss the details of the breach, and advise patients on how to monitor their information.

What Information Does the HIPAA Breach Notification Form Ask?

In the HIPAA Breach Notification Form, you will be asked a series of questions including: 

  • Are you a covered entity or business associate? 
  • How many patients did the breach affect?
  • When did the breach occur?
  • What type of incident occurred (i.e. hacking, unauthorized access to PHI, etc.)?

A full list of the questions you will need to answer when reporting a PHI breach can be found here.

Make Sure You Don’t Miss Important HIPAA Deadlines

The HIPAA Breach Notification deadline is just one of many HIPAA deadlines. Although the Breach Notification deadline is the most tangible, with specific breach submission dates that must be met, there are other important HIPAA obligations