HIPAA Breach Notification Deadline Approaching

Report HIPAA Breaches by Upcoming Deadline ||

2022 was a big year for HIPPA breaches, with 615 large-scale breaches reported affecting 49,702,726 patients. If your medical practice or healthcare entity suffered a breach in 2022, there are steps you need to take to report the incidents.

Yearly Breach Notification Deadline

Each year healthcare organizations must report breaches affecting less than 500 patients to the Department of Health and Human Services (HHS) within 60 days from the end of the calendar year in which the breach occurred. This means that smaller-scale breaches that occurred in any given year must be reported by March 1 of the following year to the HHS. The breach notification deadline is discussed below to provide guidance on how to comply with the HIPAA Breach Notification Rule.

What Is Considered a Breach Under HIPAA?

Under HIPAA, a breach is an incident that has the potential to compromise protected health information (PHI). This includes hacking incidents, unauthorized access to PHI (whether an outside party, or a member of your workforce accessing PHI without cause), theft or loss of an unencrypted device with access to PHI, or improper disposal of medical records.

Are There Breaches That Need to Be Reported Before March 1st?

The breach notification deadline only applies to breaches affecting less than 500 patients. Larger breaches, affecting 500 or more patients, must be reported within 60 days of discovery.

How Do I Report a HIPAA Breach to the HHS?

You simply go to the HHS breach portal to submit a breach report. In the breach portal, you will be asked a series of questions, including if you are a covered entity or business associate, how many patients were affected by the breach, when the breach occurred, what type of breach occurred, etc.

Breach Notification Deadline

If you report a breach affecting 500 or more patients, upon receipt of your submission, the breach will be listed on the Office for Civil Rights (OCR) website for public view.

Do I Need to Report the Breach to Anyone Else?

In addition to reporting a breach to HHS’ OCR, you must also inform patients of the breach. You must inform patients in writing by mail within 60 days of the breach. The breach must also be available on your website for 90 days should ten or more patients be unreachable by mail. If the breach affected 500 or more patients, you must also report it to local media outlets. However, if the breach was widespread (affecting patients in multiple locations), the breach notice must be available to national media outlets.

What Must Be in a Breach Notification Letter?

HIPAA breach notification letters must include, to the extent possible, the following information:

  • A brief description of the breach
  • A description of the types of information that were involved in the breach
  • The steps affected individuals should take to protect themselves from potential harm
  • A brief description of what the breached entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
  • Contact information for the breached entity

Fines for Failing to Meet the Breach Notification Deadline

In the past, several organizations have been fined by federal and state governments for failing to comply with the breach notification deadline. Some states have stricter reporting requirements than what is dictated by the HHS. Healthcare organizations must comply with the stricter breach notification law in these cases.

  • UCLA Health, fined $7.5 million
  • Touchstone Medical Imaging, fined $3 million
  • Jackson Health System, fined $2.154
  • Presence Health, fined $475,000
  • CoPilot Provider Support Services, fined $130,000

While some of the listed organizations also committed other HIPAA violations, they were also penalized for their untimely breach notification reporting.

Contribution by the Compliancy Group

This blog post was provided by the Compliancy Group, a supporter of the National Society of Certified Healthcare Business Consultants.

So need assistance with HIPAA compliance? Compliancy Group can help! Their simplified software solution and Compliance Coach® guidance help healthcare professionals achieve HIPAA compliance with ease. Find out more about Compliancy Group and HIPAA compliance. Get HIPAA compliant today!

Healthcare Compliance Services - Reed Tinsley, CPA (rtacpa.com)

Additional Resources on Security:

Have questions? I’m here to help.