Covered entities have until March 1, 2017 to submit to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) breach notification for “small” breaches of unsecured protected health information that were discovered in calendar year 2016.
Breach Notification Requirements
HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Entities must also report small breaches (i.e., those breaches involving fewer than 500 individuals) to OCR no later than 60 days after the end of each calendar year. This year, notifications of small breaches are due no later than March 1, 2017.
If covered entities have delegated breach reporting obligations to business associates (or any other entity), such business associates must meet this OCR notification deadline. Otherwise, business associates fulfill their breach reporting obligations by reporting directly to the covered entity.
Notification Process
Covered Entities should submit notice for each small breach online via OCR’s breach portal. The breach portal requires a separate fillable report for each breach rather than a simple upload of the covered entities’ breach logs.
Covered entities should expect to move through a somewhat timely and detailed process. As such, covered entities should not wait until March 1 to begin preparing notifications. Instead, covered entities should designate a person who is responsible for notifications and verify that individual’s availability and capacity to complete the reports in advance of the March 1 deadline. We also recommend that entities prepare the contents of the reports in advance so that any additional appropriate people (e.g., business leaders, privacy/security officers, legal counsel) can review the report prior to submission. Covered entities can collect and track the detailed information required in these breach portal reports during the calendar year to avoid a lengthy OCR notification process and to avoid missing any pertinent information.
Once reports are submitted, covered entities should print each report and a copy of the submission confirmation to maintain documentation of timely notification to OCR. Covered entities should also continue to maintain supporting materials for each breach, as breach notifications can lead to OCR investigations.