The Health Insurance Portability and Accountability Act’s Breach Notification Rule stated that all covered organizations must make violations of unsecured electronic protected health information known to the Department of Health and Human Services’ Office for Civil Rights (OCR).
While large scale data violations – those affecting 500 or more individuals – must be reported to OCR within 60 days of the the breach being found, covered organizations can delay the reporting of smaller scale data breaches.
While all patients must be made aware of any breach of their ePHI within a time period of 60 days – regardless of the number of people made vulnerable by the breach – notifications of security incidents are not demanded by OCR until 60 days after the end of the calendar year in which the data breaches were found.
The OCR deadline for reporting healthcare data breaches that occurred in the calendar year 2016 that impacted less than 500 patients is March 1, 2017.
As is the case with larger data violations, all smaller incidents must be filed via the OCR violation reporting tool. While smaller data breaches can be submitted together, each data breach must be filed into the breach reporting tool separately along with any supporting details.
Even if the full details of the breach are not yet clear, covered organizations should file the official reports before the March 1 deadline. An addendum can be made to the breach report when further details are known.
It is strongly recommended to delegate the reporting of data breaches to one individual responsible for the process of uploading the breach reports to start as quickly as possible. Covered groups should not wait until February 28 or March 1 to submit their breach reports. Delayed or late reporting of healthcare data breaches would be a breach of the HIPAA Breach Notification Rule and as we have already witnessed in 2017, penalties for late breach notifications can be issued.
In January, OCR took legal action against Presense Health Network for delaying the issuing of breach notification letters to patients with no valid reason for doing so. Presense Health had to pay an OCR fine of $475,000 to settle the case.