Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This year’s small breach reporting deadline is Thursday, March 1, 2018. Covered Entities must submit their reports of small breaches discovered in 2017 electronically on the HHS Office for Civil Rights website (located here) if they have not done so already.
Recent enforcement actions highlight the importance of the timely reporting of small breaches to HHS and impacted individuals. For example, in a resolution agreement announced in 2017, a large healthcare system agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a two-year corrective action plan following one large breach and several small breaches. Moreover, earlier this month, a large kidney dialysis provider entered into a $3.5 million resolution agreement and a two-year corrective action plan with HHS to settle potential HIPAA violations stemming from five separate small breaches. (For more information regarding the settlement with the large dialysis provider, click here.)
Covered Entities should take note of the significance HHS places on timely breach reporting—even for breaches that are “small.”