Official notifications of HIPAA breaches affecting fewer than 500 individuals are due today at the Department of Health and Human Services (HHS). Notices should be posted using the HHS website reporting tool. The Office for Civil Rights (OCR) within HHS handles breach oversight.
A HIPAA breach is defined as “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).”
The affected individuals were to have received their personal notices within 60 days of the breach.
The applicable HIPAA regulation (45 CFR 164.408(c)) provides:
For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.
Breaches affecting 500 or more individuals must be reported to HHS within 60 days and also must be reported to the media within the same time-frame.
In August 2016, HHS sent out a memo for regional offices to investigate smaller breaches, which had previously taken a back seat to over-500 breaches, writing “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these [smaller] breaches.”
The breach notification requirement dates to April 2009. Specifically, the rule spells out the responsibilities of both covered entities and their business associates: “Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.”
Further details can be found on the HHS website.