The deadline for reporting small breaches to the Department of Health and Human Services (HHS) is quickly approaching. By February 29th, all Covered Entities (CEs) that have had breaches in unsecured protected health information (PHI) that affected 500 individuals or more during 2015 must submit their annual reports if they haven’t done so already.
In case you’re unclear about whether or not this deadline applies to your organization, remember that HHS defines a CE as a health plan, health care clearinghouse, or health care provider that transmits “any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” More or less, that includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that handle PHI electronically. You can read more about HHS’s regulation on CEs here. If your organization meets these qualifications and has had a small data breach in 2015, you can visit HHS’s site before February 29th to perform your annual report.
HIPAA regulation works differently depending on the size and scope of the breach in question, so keep in mind that this deadline and annual reporting process is only applicable in the case of small breaches. Breaches that have affected more than 500 individuals need to be reported within 60 days of the discovery of the breach to the appropriate state and federal contacts. Patients whose PHI has been breached should always be notified within 60 days of the discovery as well.
Don’t let this deadline pass without reporting any outstanding breaches. All you need to do is check out HHS’s reporting page and fill in the appropriate information before February 29th.