The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-regulated entities to issue notifications to affected individuals without unreasonable delay, and no later than 60 days from the discovery of a breach of individuals’ protected health information (PHI). When a suspected data breach has occurred that warrants notifications for individuals, there is also a requirement to send a notification to the Secretary of the Department of Health and Human Services.
If a data breach impacts 500 or more individuals, HIPAA-regulated entities are required to notify OCR without unnecessary delay and no later than 60 days from the date of the discovery of the data breach. When a data breach affects fewer than 500 individuals, HIPAA is more flexible and allows HIPAA-regulated entities 60 days from the end of the calendar year when the breach was discovered to report the breaches to the HHS. The deadline for submitting annual reports of data breaches affecting fewer than 500 individuals is therefore fast approaching. Those breaches must be reported to the HHS before midnight on March 2, 2022, i.e. no later than 11:59:59 on March 1, 2022.
It is worthwhile emphasizing that the extended time for reporting breaches to OCR does not apply to individual notifications for affected individuals. Those notifications must always be sent without unreasonable delay and no later than 60 days from the date of discovery of the breach. The extension ONLY applies to notifications to OCR.
While the deadline is, at the time of writing, more than 5 weeks away, it is advisable not to leave the reporting of data breaches to the last minute. Regardless of the number of individuals affected, data breaches must be submitted individually using the HHS breach reporting web portal. HIPAA-regulated entities may have experienced several small data breaches in 2021, and submitting reports of the data breaches and providing all the necessary information can be a time-consuming process.
Further, it is likely that many HIPAA-regulated entities will be using the web portal to report data breaches in the days leading up to the reporting deadline, so it is conceivable that high numbers of users may render the web portal inaccessible. It is therefore advisable to report all data breaches well ahead of the March 1, 2022, reporting deadline to avoid creating a red flag that may prompt OCR to conduct a compliance review or audit or risking a penalty for non-compliance.