The deadline for submitting 2018 data breach reports for breaches that have affected fewer than 500 individuals is March 1, 2019.
The HIPAA Breach Notification Rule requires all HIPAA-covered entities and their business associates to report data breaches involving 500 or more healthcare records no later than 60 days following the discovery of a breach. For smaller breaches the reporting requirements are less strict and the deadline is 60 days from the end of the calendar year in which the breach occurred.It should be noted that the deadline is for reporting breaches to the Department of Health and Human Services’ Office for Civil Rights. State laws may require breaches to be issued sooner. The Breach Notification Rule requires notifications to be issued to patients within 60 days, regardless of the size of the breach.
If the investigation of the breach has not reached a conclusion prior to the 60-day deadline, the entity or business associate must submit an interim breach report. When additional information is available, the breach report can be updated.
In case an entity or business associate fails to report a data breach within 60 days, OCR can penalize the entity for noncompliance. Although penalties for HIPAA violations are usually issued when there is widespread noncompliance or particularly serious HIPAA violations, delayed notifications have attracted fines in the past.
In January 2017, OCR issued its first penalty solely for a HIPAA Breach Notification Rule violation. Presense Health experienced a data breach in 2013 which impacted 836 patients. Its Joliet, IL surgery center lost operating schedules and Presence Health learned of the loss on October 22, 2013. However, breach notification letters were sent to the affected patients 101 days after the discovery of the loss – 31 days past the notification deadline. Presense Health notified OCR 36 days after the deadline. Presense Health agreed to settle the case and paid a financial penalty of $475,000.