HIPAA Small Breach Notifications Due to OCR March 1
Tuesday, February 21, 2017
HIPAA, Health Information
Print Mail Download i

Covered entities have until March 1, 2017 to submit to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) breach notification for “small” breaches of unsecured protected health information that were discovered in calendar year 2016.

Breach Notification Requirements

HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Entities must also report small breaches (i.e., those breaches involving fewer than 500 individuals) to OCR no later than 60 days after the end of each calendar year. This year, notifications of small breaches are due no later than March 1, 2017.

If covered entities have delegated breach reporting obligations to business associates (or any other entity), such business associates must meet this OCR notification deadline. Otherwise, business associates fulfill their breach reporting obligations by reporting directly to the covered entity.

Notification Process

Covered Entities should submit notice for each small breach online via OCR’s breach portal. The breach portal requires a separate fillable report for each breach rather than a simple upload of the covered entities’ breach logs.

Covered entities should expect to move through a somewhat timely and detailed process. As such, covered entities should not wait until March 1 to begin preparing notifications. Instead, covered entities should designate a person who is responsible for notifications and verify that individual’s availability and capacity to complete the reports in advance of the March 1 deadline. We also recommend that entities prepare the contents of the reports in advance so that any additional appropriate people (e.g., business leaders, privacy/security officers, legal counsel) can review the report prior to submission. Covered entities can collect and track the detailed information required in these breach portal reports during the calendar year to avoid a lengthy OCR notification process and to avoid missing any pertinent information.

Once reports are submitted, covered entities should print each report and a copy of the submission confirmation to maintain documentation of timely notification to OCR. Covered entities should also continue to maintain supporting materials for each breach, as breach notifications can lead to OCR investigations.

©2024 von Briesen & Roper, s.c

Current Legal Analysis

More from von Briesen & Roper, s.c.

FTC Issues Final Rule Banning Non-Competes
by: Robert J. Simandl , Craig T. Papka
DOL Releases Final Overtime Rule, Making Millions More Workers Eligible for Overtime
by: Erica A. Storm
U.S. Supreme Court Holds That A Unilateral Job Transfer Maintaining the Same Pay and Benefits Could Be Discrimination Under Title VII
by: James R. Macy
Policy Exceptions – A Tale of Two Interpretations
by: Steven R. Beckham
Use of the ASTM E1527-21 Phase I Environmental Site Assessment Standard Practice is Now Required to Meet CERCLA Liability Protections
by: David P. Ruetz , Christina M. Lucchesi
DOL Issues SECURE 2.0 Guidance on PLESAs and Automatic Portability
by: Kelly J. Noyes
What Compliance Officers Need to Know From 2023’s Compliance Trends
by: Stacy C. Gerber Ward
What You Need To Know About The Corporate Transparency Act
by: Randy S. Nelson
Appellate Court of Illinois and Seventh Circuit Issue Conflicting Decisions Regarding Applicability of “Violation-of-Law Exclusion” in BIPA Actions
by: Edric S. Bautista , Mollie T. Kugler
Your Company’s Beneficial Ownership Information Report Required by the Corporate Transparency Act Is Due Soon
by: Randy S. Nelson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins