Notice of Small HIPAA Breaches from 2017 Due Today

Official notifications of HIPAA breaches affecting fewer than 500 individuals are due today at the Department of Health and Human Services (HHS). Notices should be posted using the HHS website reporting tool. The Office for Civil Rights (OCR) within HHS handles breach oversight.

A HIPAA breach is defined as “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).”

HIPAA-breach-notifications-are-dueThe affected individuals were to have received their personal notices within 60 days of the breach.

The applicable HIPAA regulation (45 CFR 164.408(c)) provides:

For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.

Breaches affecting 500 or more individuals must be reported to HHS within 60 days and also must be reported to the media within the same time-frame.

In August 2016, HHS sent out a memo for regional offices to investigate smaller breaches, which had previously taken a back seat to over-500 breaches, writing “each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these [smaller] breaches.”

The breach notification requirement dates to April 2009. Specifically, the rule spells out the responsibilities of both covered entities and their business associates: “Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.”

Further details can be found on the HHS website.

NOTE: The details in this blog are provided for informational purposes only. All answers are general in nature and do not constitute legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The author specifically disclaims any and all liability arising directly or indirectly from the reliance on or use of this blog.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Comments (required)*