Understanding the HIPAA Breach Reporting Deadline
As a part of the HIPAA Breach Notification Rule, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) sets specific rules for actions that must be taken in the event of data breaches of protected health information (PHI). PHI is defined in HIPAA regulation as any demographic information that can be used to identify a patient. Common examples of PHI include name, address, date of birth, telephone number, Social Security number, insurance information, and full facial photos, to name a few.
Under the HIPAA Breach Notification Rule, HHS has identified two different kinds of PHI breaches:
- Minor Breaches are PHI breaches that have affected fewer than 500 individuals in a single jurisdiction.
- Meaningful Breaches are PHI breaches that have affected more than 500 individuals in a single jurisdiction.
Under the law, Meaningful Breaches are considered particularly serious. The HIPAA breach-reporting deadline for Meaningful Breaches is within 60 days of the discovery of the breach.
However, Minor Breaches have different protocols.
The HIPAA Breach Notification rule mandates that ALL Minor Breaches that have occurred over the course of a given calendar year must be reported NO LATER than 60 days after the calendar year has ended (that is, 60 days from December, 31st of a given year).
Over the course of the year, HIPAA mandates that your organization monitor, track, and investigate ALL PHI breaches, regardless of the size of the breach. Behavioral health professionals can use HIPAA compliance software to monitor and document breaches throughout the year–and help respond to HIPAA audits, should they occur. Documentation that your practice has gathered should be collated and reported on the HHS breach notification portal.
In 2017, the first HIPAA settlement in history occurred for a violation of the HIPAA Breach Notification Rule–a shocking confirmation that this kind of enforcement is likely to become mainstream in the years ahead.
Where to Report Breaches
Use the HHS Breach Reporting Portal here to report your minor breaches!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!