HIPAA Breach Reporting Deadline

HIPAA Breach Reporting


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Understanding the HIPAA Breach Reporting Deadline

As a part of the HIPAA Breach Notification Rule, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) sets specific rules for actions that must be taken in the event of data breaches of protected health information (PHI). PHI is defined in HIPAA regulation as any demographic information that can be used to identify a patient. Common examples of PHI include name, address, date of birth, telephone number, Social Security number, insurance information, and full facial photos, to name a few.

Under the HIPAA Breach Notification Rule, HHS has identified two different kinds of PHI breaches:

  • Minor Breaches are PHI breaches that have affected fewer than 500 individuals in a single jurisdiction.
  • Meaningful Breaches are PHI breaches that have affected more than 500 individuals in a single jurisdiction.

Under the law, Meaningful Breaches are considered particularly serious. The HIPAA breach-reporting deadline for Meaningful Breaches is within 60 days of the discovery of the breach.

However, Minor Breaches have different protocols.

The HIPAA Breach Notification rule mandates that ALL Minor Breaches that have occurred over the course of a given calendar year must be reported NO LATER than 60 days after the calendar year has ended (that is, 60 days from December, 31st of a given year).

Over the course of the year, HIPAA mandates that your organization monitor, track, and investigate ALL PHI breaches, regardless of the size of the breach. Behavioral health professionals can use HIPAA compliance software to monitor and document breaches throughout the year–and help respond to HIPAA audits, should they occur. Documentation that your practice has gathered should be collated and reported on the HHS breach notification portal.

In 2017, the first HIPAA settlement in history occurred for a violation of the HIPAA Breach Notification Rule–a shocking confirmation that this kind of enforcement is likely to become mainstream in the years ahead.

Where to Report Breaches

Use the HHS Breach Reporting Portal here to report your minor breaches!

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x