Reminder: Notice of 2017 small HIPAA breaches due to HHS soon
The deadline to submit notice to the Department of Health and Human Services (HHS) of small HIPAA breaches (those that affected fewer than 500 individuals) discovered in calendar year 2017 is March 1, 2018.
The applicable HIPAA regulation (45 CFR 164.408(c)) provides:
For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.
Notice of such breaches should have already been sent to the affected individuals. However, if covered entities waited to notify HHS, they should submit notices soon. Breaches are to be reported using the HHS website.
Covered entities face additional penalties for failing to report breaches in a timely manner. And, it should be noted that HHS audited for compliance with notice requirements as part of its Phase 2 audits.
This is for informational purposes only. It is not intended to be legal advice and does not create or imply an attorney-client relationship.Download PDF