The HIPAA breach notification deadline for HIPAA-covered entities is fast approaching. Covered entities have until March 1, 2017 to submit their 2016 data breach reports to the Department of Health and Human Services’ Office for Civil Rights.
HIPAA covered entities that have experienced a breach of the protected health information of patients or plan members are required by the HIPAA Breach Notification Rule to send a report of the breach to OCR the within 60 days of the discovery of the breach, if the breach impacts 500 or more individuals.
Covered entities are given some leeway when it comes to reporting breaches of fewer than 500 healthcare records. Those breaches must still be reported to OCR, although covered entities do not have to issue breach reports until 60 days following the end of the calendar year in which the breach was discovered. That means there is a March 1, 2017 deadline for submitting reports of small healthcare data breaches via the OCR breach reporting tool on the HHS website.
As we have already seen this year, the late issuing of breach notifications is a punishable HIPAA violation. In January, OCR announced that it has settled a case with the healthcare organization Presense Health Network. The Chicago-based healthcare network delayed the issuing of breach notification letters to patients and took more than three months from the discovery of the breach to send notification letters, rather than within the required 60 days. That 40-day delay cost the healthcare network $475,000.
Covered entities that have yet to report their smaller ePHI breaches of 2016 should not wait until the last minute to submit their reports. Even though the breaches are small, a separate breach report must be filed for each incident. Uploading the breach reports and providing all the required information can take time. If the process is left until February 28, 2017, it is possible that the deadline may be missed.
If a covered entity has delegated the reporting of small breaches to a business associate, which is permitted under HIPAA Rules, it is important that the covered entity confirms that their business associates are aware of the HIPAA breach notification deadline. Now would be a good time to make the call or confirm by email, if confirmation has not already been received.
Typically, OCR concentrates its efforts on investigating larger healthcare data breaches, although action has been taken against organizations for HIPAA violations discovered during investigations of smaller breaches. Since an investigation is possible, covered entities should ensure that all documentation related to smaller breaches is retained in case of an audit.