The deadline for reporting healthcare data breaches of fewer than 500 records is fast approaching. HIPAA-regulated entities must ensure these data breaches are reported to the HHS’ Office for Civil Rights (OCR) no later than March 1, 2023. Late reporting of data breaches is a HIPAA violation and can result in a financial penalty.
The HIPAA Breach Notification Rule requires HIPAA-regulated entities to issue notifications to all individuals whose protected health information has been exposed or impermissibly disclosed without unnecessary delay, and no later than 60 days from the discovery of a data breach. HIPAA-regulated entities are also required to report data breaches to the Secretary of the HHS via the OCR breach reporting portal.
The HIPAA Breach Notification Rule requires large data breaches – affecting 500 or more individuals – to be reported to OCR within the same time frame – No later than 60 days from the discovery of the data breach. There is greater flexibility for reporting data breaches affecting fewer than 500 individuals. HIPAA-regulated entities must also report these breaches via the OCR breach reporting portal, but they have 60 calendar days from the end of the year when the breach was discovered to report the data breaches. That means the deadline for reporting these small data breaches is March 1, 2023. It should be stressed that if a HIPAA-regulated entity chooses to take advantage of this Breach Notification Rule flexibility, the extended time frame ONLY applies to breach reporting to OCR. The individuals who had their PHI exposed or impermissibly disclosed must still be notified about the breach within 60 days of when the breach was discovered.
All data breaches must be reported individually through the OCR breach reporting portal. The breach reports must include details of the breach and the efforts made to remediate those incidents. If a HIPAA-regulated entity has experienced multiple small data breaches over the course of a year, that process may take some time. It is therefore best not to wait until the last minute to report the data breaches.
The post March 1, 2023: HIPAA Breach Notification Rule Deadline for Reporting Small Data Breaches appeared first on HIPAA Journal.