Deadline for Reporting 2014 HIPAA Breaches

The deadline for reporting 2014 HIPAA breaches is fast approaching and only four weeks remain for organizations to advise the Department of Health and Human Services of the breaches which have occurred throughout 2014 and affected fewer than 500 individuals.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act requires all covered entities to submit reports of data breaches to the Department of Health and Human Services within 60 days of the breach occurring if they involve more than 500 individuals.

Deadline for Reporting 2014 HIPAA Breaches is March 2

The deadline for submitting all breach reports for incidents that have occurred in 2014 is March 2, 2015. This is also the final deadline for 500+ breaches that were discovered on Dec 31, 2014 and for all data breaches which involved fewer than 500 individuals that occurred between Jan 1, 2014 and Dec 31, 2014.

HIPAA does not require data breaches involving fewer than 500 individuals to be reported immediately, which is intended to ease the administrative burden on covered organizations. These small breaches can instead be reported annually, although organizations that have implemented a policy of reporting smaller data breaches within the same 60 day time period as larger breaches will be able to avoid a last minute rush to gather the necessary data ahead of the March deadline.

A failure to submit all breach reports – large and small – before the deadline is a violation of HIPAA Breach Notification Rules and could see the Office for Civil Rights issue a financial penalty, or worse still, the violation could trigger a full HIPAA compliance audit.

While fines are not frequently issued for minor violations in the absence of a data breach, lax standards and a failure to follow basic reporting rules hints that an organization may be committing many more HIPAA violations and the OCR may decide an audit is appropriate.

OCR Eases Administrative Burden

The Office for Civil Rights is charged with policing HIPAA; however as it found during the pilot audit program, the administrative burden it faces trying to collect the thousands upon thousands of documents required by its auditors is considerable.

In order to improve efficiency of conducting audits it has implemented a new web portal which has been designed to take users through a step by step process for reporting data breaches, and ensures all the required information is included in the reports. This eliminates paper chasing, streamlines administrative processes and will ultimately allow the OCR to conduct more audits, issue more guidance and police HIPAA more efficiently and effectively.

The deadline for reporting 2014 HIPAA breaches is March 2, 2015, and while the portal makes breach reporting as simple and straightforward as possible, it may initially take more time to report data breaches as the level of detail required has changed. It is advisable to become familiar with the new portal – and the information it requires you to include with a breach report – well ahead of the reporting deadline.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of