March 1, 2019 Deadline for Small Healthcare Data Breach Reports Submission

by

March 1, 2019 is the deadline for sending the Department of Health and Human Services’ Office for Civil Rights all 2018 data breach reports for breaches which affected less than 500 people.

The HIPAA Breach Notification Rule calls for all HIPAA-covered entities and business associates to file data breaches with 500 and up healthcare records exposed up to 60 days following the date of discovering a breach. The reporting requirements for smaller breaches are not as strict and allows submission up to 60 days from the last day of the calendar year in which the breach took place. It must be mentioned that the due date is for reporting breaches to OCR. State legislation may call for breaches to be reported earlier. The Breach Notification Rule demands notifications to be given to patients in 60 days, no matter what is the size of the breach.

In case the investigation of the data breach is not finished before the deadline, the entity or business associate need to file an interim breach report. If more information is accessible, the breach report must be kept up to date.

If an entity or business associate does not report a data breach in 60 days, penalties can be issued by OCR for noncompliance. Though HIPAA violations penalties are typically issued whenever there is prevalent noncompliance or severe HIPAA violations, fines had been issued because of late notifications in the past.

OCR issued on January 2017 the first ever penalty that is due to a violation of the HIPAA Breach Notification Rule. Presense Health’s data breach that happened in 2013 impacted 836 patients. Its surgery center in Joliet, IL had their operating schedules missing and Presence Health found out about the potential breach on October 22, 2013. Nonetheless, Presense Health only sent breach notification letters to the affected patients after 101 days from discovering the lost records. The notification was 31 days past the deadline of issuance. Presense Health informed OCR 36 days right after the due date. Presense Health consented to pay a $475,000 fine to settle the violation.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]