All covered entities that discovered security breaches under the Health Insurance Portability and Accountability Act (“HIPAA”) in 2014 should be aware of an upcoming reporting deadline.  Specifically, breaches that affected fewer than 500 individuals and were discovered in 2014 must be reported to the U.S. Department of Health and Human Services (“HHS”) by March 1, 2015.  Notices should be submitted using forms provided by HHS on its website.  While notices of all breaches affecting fewer than 500 people may be submitted on the same day, each breach must be reported on its own form.  Information requested includes information about the reporting company, details about the breach itself, and facts regarding corrective actions and individual notifications.

Covered entities must notify HHS of breaches that affect more than 500 people within 60 days of discovery.  Additionally, notices to individuals affected by breaches are required to be distributed within 60 days of discovery of the breach, regardless of the number of people affected.  However, HHS notifications for relatively smaller breaches operate on a different timetable.

After a breach has been reported to HHS, covered entities should be aware that HHS may investigate such breach as well as the entity’s HIPAA compliance infrastructure.  Thus, breach reporting is one time amongst many when it would be wise for covered entities to ensure that appropriate corrective action has been implemented, and that the HIPAA compliance program is up to date and compliant with law.

Posted by Leah Roffman

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s