Which Breaches Are Required to be Reported by March 1st?
Breach reporting requirements differ depending on how many patients were affected by the incident. Breaches that affected 500 or more patients should have been reported within 60 days of discovering the incident to the HHS. All smaller breaches that affected less than 500 patients, and occurred in 2021, must be reported to the HHS by March 1, 2022.
The HHS states on their site, “The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link.”
However, regardless of the size of the breach, affected patients must be informed of the incident within 60 days of discovery. Patients must be mailed breach notification letters that discuss the details of the breach, and advise patients on how to monitor their information.
What Information Does the HIPAA Breach Notification Form Ask?
In the HIPAA Breach Notification Form, you will be asked a series of questions including:
- Are you a covered entity or business associate?
- How many patients did the breach affect?
- When did the breach occur?
- What type of incident occurred (i.e. hacking, unauthorized access to PHI, etc.)?
A full list of the questions you will need to answer when reporting a PHI breach can be found here.
Make Sure You Don’t Miss Important HIPAA Deadlines
The HIPAA Breach Notification deadline is just one of many HIPAA deadlines. Although the Breach Notification deadline is the most tangible, with specific breach submission dates that must be met, there are other important HIPAA obligations