All HIPAA covered entities (CEs) should be aware that the deadline for reporting data breaches that occurred in 2018 of fewer than 500 records is March 1, 2019. CEs must report the breaches to the Department of Health and Human Services’ Office for Civil Rights (OCR).
HIPAA’s Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. CEs must report all small data breaches, defined as involving fewer than 500 files, within 60 days of the end of the calendar year during which the breach took place. Therefore, organisations should report data breaches to OCR by the beginning of March.
Organisations may submit an interim breach report if their investigation has not yet concluded by the March 1 deadline, or if their investigators could not determine how many files were affected by the breach. The organisation can update its breach report as their investigation continues and they collect more information.
The OCR has the power to issue a fine if they that an organisation has failed to submit a breach report within the 60-day window.
The OCR usually only fines organisations when they have violated HIPAA’s Rules consistently and in particularly dangerous manners. However, OCR has taken action against healthcare organisations for breach notification failures in the past.
In January 2017, OCR issued its first fine solely for a HIPAA Breach Notification Rule violation. Presense Health experienced a data breach in 2013 that affected 836 patients. An unauthorised individual removed operating schedules from its Joliet, IL, surgery centre and could not be located. Presence Health learned of the breach on October 22, 2013, but did not send notifications to patients for 101 days – 31 days later than the reporting deadline. OCR was notified 36 days after the deadline had passed. Presence Health agreed to settle the case with OCR for $475,000.