January 24, 2022

Volume XII, Number 24

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

HIPAA Small Breach Notifications Due to OCR March 1

Covered entities have until March 1, 2017 to submit to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) breach notification for “small” breaches of unsecured protected health information that were discovered in calendar year 2016.

Breach Notification Requirements

HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Entities must also report small breaches (i.e., those breaches involving fewer than 500 individuals) to OCR no later than 60 days after the end of each calendar year. This year, notifications of small breaches are due no later than March 1, 2017.

If covered entities have delegated breach reporting obligations to business associates (or any other entity), such business associates must meet this OCR notification deadline. Otherwise, business associates fulfill their breach reporting obligations by reporting directly to the covered entity.

Notification Process

Covered Entities should submit notice for each small breach online via OCR’s breach portal. The breach portal requires a separate fillable report for each breach rather than a simple upload of the covered entities’ breach logs.

Covered entities should expect to move through a somewhat timely and detailed process. As such, covered entities should not wait until March 1 to begin preparing notifications. Instead, covered entities should designate a person who is responsible for notifications and verify that individual’s availability and capacity to complete the reports in advance of the March 1 deadline. We also recommend that entities prepare the contents of the reports in advance so that any additional appropriate people (e.g., business leaders, privacy/security officers, legal counsel) can review the report prior to submission. Covered entities can collect and track the detailed information required in these breach portal reports during the calendar year to avoid a lengthy OCR notification process and to avoid missing any pertinent information.

Once reports are submitted, covered entities should print each report and a copy of the submission confirmation to maintain documentation of timely notification to OCR. Covered entities should also continue to maintain supporting materials for each breach, as breach notifications can lead to OCR investigations.

©2022 von Briesen & Roper, s.cNational Law Review, Volume VII, Number 52
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

von Briesen & Roper’s Health Law Section provides comprehensive legal services to the health care industry nationwide as both general counsel and special project counsel. Our clients include integrated delivery systems, academic medical centers, community hospitals, Catholic-sponsored hospitals, rural and critical access hospitals, imaging centers, physicians and multi-specialty clinics, specialty hospitals, ancillary suppliers, home health agencies, nursing homes, hospices, assisted living facilities, mental health and AODA facilities, DME suppliers, laboratories,...

414-287-1514
Advertisement
Advertisement
Advertisement