March 25, 2019

March 25, 2019

Subscribe to Latest Legal News and Analysis

HIPAA Data Breach Reports Due to OCR by 2/28/19

The HIPAA (Health Insurance Portability and Accountability Act) breach notification regulations require covered entities to self-report the unauthorized access, use or disclosure of unprotected protected health information (PHI) to the Office for Civil Rights (OCR).

If the data breach involves more than 500 individuals, the notification must be made to the OCR immediately. If the breach involves fewer than 500 individuals, the covered entity must notify the OCR before 60 days after the end of the calendar year (or February 28). Either way, the reporting is made through the OCR website and is fairly self-explanatory.

Many covered entities file their breach reports for breaches involving fewer than 500 individuals through the OCR website at the time they are notifying individuals, but many others wait until the deadline to self-report all such breaches.

Whether you decide to report at the time of the breach or at the end of the year, the deadline for reporting these incidents is fast approaching. If you haven’t taken care of the reporting obligation yet, now is the time to do so.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence
Partner

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

401-709-3353