HIPAA covered entities that suffered "small" data breaches in calendar year 2016 have until March 1, 2017 to report the breach to the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).
HIPAA requires a covered entity, upon discovery of a breach of unsecured protected health information (PHI), to notify each affected individual "without unreasonable delay" and, in any event, within 60 days after the breach was discovered. For a breach affecting 500 or more individuals, the covered entity must also notify OCR within the same time period. "Small" breaches – those that involve fewer than 500 people – must be reported to OCR no later than 60 days after the calendar year in which the breach was discovered. For non-leap years, that deadline is March 1.
Business associates that experience their own data breaches are required to report the breach to the covered entity "without unreasonable delay" and no later than 60 days from the discovery of the breach, although the Business Associate Agreement between the parties may require a shorter timeframe. Some covered entities, however, ask their business associates to handle the required reporting to the affected individuals and/or OCR.
OCR maintains an online portal where each small breach that occurred during the year must be reported separately. More information about the Breach Notification Rule and reporting requirements may be found on the HHS website.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.