HIPAA and Compliance News

Deadline to Report PHI Breaches Impacting Less Than 500 People Nears

March 1 is the deadline to report 2021 PHI breaches impacting less than 500 people to HHS under the HIPAA Breach Notification Rule.

Deadline to Report PHI Breaches Impacting Less Than 500 People Nears

Source: Getty Images

By Jill McKeon

- Under the HIPAA Breach Notification Rule, covered entities must report all protected health information (PHI) breaches to HHS. If the breach impacted more than 500 individuals, covered entities must report it to HHS within 60 days of the incident.

However, organizations may report breaches that impacted less than 500 individuals to HHS on a yearly basis. Specifically, entities are required to report these breaches “no later than 60 days after the end of the calendar year in which the breaches are discovered,” HHS’ website states.

That means that by March 1, all covered entities must disclose small healthcare data breaches to HHS. After March 1, organizations run the risk of facing non-compliance penalties.

It is important to note that organizations that suffered data breaches impacting less than 500 individuals still must notify those individuals within 60 days of discovering the breach. Covered entities are simply given additional time to report this information to HHS.

“These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable),” HHS states.

If the covered entity cannot find contact information for 10 or more individuals, it is required to post a notice on the home page of its website for at least 90 days. Unsecured PHI breaches that impacted more than 500 individuals must also be reported to prominent media outlets and can be found on the Office for Civil Rights (OCR) data breach portal.

Data breaches can come in the form of hacking incidents, unauthorized access or disclosure, improper disposal, or theft. Covered entities and their business associates are required to comply with breach notification rules.

“Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” HHS noted.

“Covered entities are also required to comply with certain administrative requirements with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.”