All covered entities that discovered security breaches under the Health Insurance Portability and Accountability Act (“HIPAA”) in 2014 should be aware of an upcoming reporting deadline. Specifically, breaches that affected fewer than 500 individuals and were discovered in 2014 must be reported to the U.S. Department of Health and Human Services (“HHS”) by March 1, 2015. Notices should be submitted using forms provided by HHS on its website. While notices of all breaches affecting fewer than 500 people may be submitted on the same day, each breach must be reported on its own form. Information requested includes information about the reporting company, details about the breach itself, and facts regarding corrective actions and individual notifications.
Covered entities must notify HHS of breaches that affect more than 500 people within 60 days of discovery. Additionally, notices to individuals affected by breaches are required to be distributed within 60 days of discovery of the breach, regardless of the number of people affected. However, HHS notifications for relatively smaller breaches operate on a different timetable.
After a breach has been reported to HHS, covered entities should be aware that HHS may investigate such breach as well as the entity’s HIPAA compliance infrastructure. Thus, breach reporting is one time amongst many when it would be wise for covered entities to ensure that appropriate corrective action has been implemented, and that the HIPAA compliance program is up to date and compliant with law.