The last day for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights (OCR) is near. HIPAA-covered entities need to report data breaches to OCR and notify affected patients. Breaches that impacted more than 500 individuals must be reported within 60 days from the time the breach was discovered. Breaches that impacted less than 500 individuals can be reported 60 days from the end of the year in which the breach occurred. For small data breaches in 2017, the final data to report them to OCR is on March 1, 2018.
The HIPAA Privacy Rule defines a HIPAA data breach as the “acquisition, access, use or disclosure” of unsecured protected health information (PHI). Unsecured PHI refers to PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,” like encryption. When a breach involves encrypted PHI, it is not necessary to report it. But if the key to unlock the encryption is also compromised, the breach must be reported.
Ransomware attacks are considered reportable HIPAA data breaches even though the PHI is not stolen. It may not be necessary to report a ransomware incident if the covered entity can prove there is a low probability of PHI being compromised during an attack. This is to be determined using a risk assessment (45 CFR 164.402).
The report on several “small” PHI breaches may be submitted at the same time, but each incident is to be reported as a separate event. The breaches can’t be uploaded to the breach portal together. The HIPAA Breach Notification Rule gives extra time to report small data breaches to OCR. But the sending of notification to impacted individuals must be within 60 days from the discovery date. There should not be any delay. If the information is not yet complete, additional data may be submitted to the OCR later. If the exact number of affected individuals is not yet final, submit that information as an update to the breach report.
Not submitting a data breach report will have severe penalties. Presense Health was fined for delaying breach reports and paid the amount of $475,000 to OCR. So, OCR encouraged covered-entities not to ignore the deadline or delay breach reports. Submit a report of all small breaches of PHI to OCR now until the end of February 2018 – no later than midnight of March 1.