The HIPAA Breach Notification Rule States that data breaches of 500 or greater records to be made known to the Secretary of the Department of Health and Human Services mo more than 60 days after the breach was first identified. Breaches of less than 500 records can be made known to the Secretary at any stage, but no more than 60 days from the end of the calendar year in which the data breach was suffered – 45 C.F.R. § 164.408.
That means smaller healthcare data breaches must normally be made known to the HHS no later than March 1 each year, but this year is a leap year so there is an additional day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have impacted less than 500 individuals must therefore be made known to OCR no later than February 29, 2020.
All breaches must be made filed to the Secretary of the HHS using the Office for Civil Rights breach portal. Each data breach must be reported on its own and full information about each breach should be included. If many small data breaches have been suffered in the 2020 calendar year, reporting the breaches can take some time. It is therefore important not to leave the reporting of data breaches to the last second to ensure the deadline has not expired. If data breaches are reported later than the 60-day deadline, financial penalties can be sanctioned.
If a breach has been suffered and the amount of individuals impacted by the breach has not yet been discovered, the breach report should include an estimate of the number of people impacted. It is not allowable to delay reporting the breach. When the specific number of impacted people is known, an addendum can be filed. Addenda should also be used to update breach reports when further information about the breach is known.