This is a friendly reminder to all covered entities that, by February 29, 2016, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2015 and involved fewer than 500 individuals.
As most, if not all, covered entities know, HIPAA requires covered entities to report all breaches of unsecured PHI to the Secretary. The timeline for reporting, however, differs depending on the scope of the breach.
- For any breach affecting more than 500 individuals, the Secretary must be notified without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.
- For breaches involving fewer than 500 individuals, a
covered entity must keep a log of these events and report them
annually to the Secretary. This annual report must be filed within 60 days following the end
of the year and should include all reportable breaches that
were discovered in the prior year.
Breaches discovered in 2015 and involving fewer than 500 individuals should be reported to the Secretary through the Office of Civil Rights Breach Portal no later than February 29, 2016.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
