Small Healthcare Data Breaches Must be Reported by February 29, 2024

New England Dermatology and Laser Center HIPAA fine

The deadline for reporting 2023 healthcare data breaches is fast approaching. Since 2024 is a leap year, the last date for reporting data breaches is February 29 and not March 1 as it is most years.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires breaches of unencrypted protected health information to be reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) without undue delay and no later than 60 days from the date of discovery of a data breach. Individual notifications must also be issued to the affected within 60 days of the discovery of a data breach.

The size of a data breach has no impact on the timescale for issuing individual notifications, as they must always be issued within 60 days of the discovery of a data breach, but there is some flexibility when it comes to reporting small data breaches to OCR. A large data breach, one which affects 500 or more individuals, must be reported to OCR within 60 days of the discovery of a breach but if a breach affects 1-499 individuals, HIPAA-regulated entities must ensure that the breach is reported to OCR within 60 calendar days of the end of the year when the data breach was discovered.

Data breaches must be reported via the OCR breach portal, and they must be reported individually. Each breach report requires explanations to be provided, so if there have been several small data breaches over the course of a year, reporting those data breaches may take some time. It is therefore best not to wait until the last minute to report the breaches and you must ensure that they are reported ahead of the deadline. OCR investigates all large breaches to establish whether they were the result of noncompliance with the HIPAA Rules, but some small data breaches are also investigated. If a breach is reported late, OCR may choose to investigate. Prompt breach reporting is always important but it is even more so this year, as OCR appears to be gearing up for another round of HIPAA compliance audits and late reporting could see you ping on OCR’s radar.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/