Deadline for Reporting HIPAA Breaches Affecting Fewer than 500 Individuals: February 29, 2020
January 6, 2020
HIPAA breaches involving fewer than 500 individuals, which occurred during 2019, must be reported to the US Department of Health and Human Services (HHS) by Saturday, February 29, 2020.
Reporting HIPAA Breaches: When Should I Contact HHS?
When reporting HIPAA breaches that involve fewer than 500 people, you have two options: First, you can report these small breaches to HHS as they occur. Or, you can collect the details of these HIPAA breaches and report them to the Secretary of HHS within 60 days of the end of the calendar year (following the year in which the breaches occurred).
Either way, you must log every breach as it happens. Include every breach in your log, regardless of how minor the incident or how few individuals involved.
Covered Entities (CE) and Business Associates (BA) must notify the Secretary of HHS by filling out and electronically submitting a breach report on the HHS website here. If the number of individuals affected by a breach is uncertain at the time of submission, the CE or BA should provide an estimate.
In the case that the CE/BA discovers additional information later, they should submit updates as indicated on the HHS form. If the CE/BA decides to report all breaches affecting fewer than 500 individuals on one date, they must file a separate notice for each breach incident.
Definition of HIPAA Breaches
A simple oversight or event may qualify as a HIPAA breach. Here are a few examples from the HHS website:
- A municipal social service agency disclosed PHI while processing Medicaid applications. They sent consolidated data to computer vendors that were not Business Associates.
- A mental health center did not provide a Notice of Privacy Practices to a father or his minor daughter, who was a patient at the center.
- A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.
- A grocery store based pharmacy chain maintained pseudoephedrine logbooks containing PHI in a manner. So, that individual PHI was visible to the public at the pharmacy counter.
- A law firm working on behalf of a pharmacy chain impermissibly disclosed the PHI of a customer of the pharmacy. The pharmacy chain and the law firm had not entered into a Business Associate Agreement.
You can view the full list of HHS examples here.
Will I Be Penalized for HIPAA Breaches I Report?
No, HHS will not be penalize you. Logging your HIPAA breaches throughout the year demonstrates to HHS that you are doing your best to comply with the law. Acknowledge potential compromises of PHI and take measures to make sure similar incidents do not occur again.
Neglecting to log HIPAA breaches, however, carries serious consequences. HHS sees this as a failure to cooperate. In order to remain HIPAA compliant, you must train all appropriate employees on logging HIPAA breaches. If HHS audits your organization, they will ask your employees to demonstrate knowledge on the breach report logging process. Otherwise, you may face serious fines.
What if My Business Associate Logged the HIPAA Breach?
If your Business Associate logged the breach and you have designated them as responsible for reporting, that is fine. However, you will want to review the breach report before they file it to make sure it contains correct information.
Additionally, we advise following up with them prior to the deadline (Saturday, February 29, 2020) to make sure they filed the report. Above all, maintaining a signed Business Associates Agreement protects you from being held liable for your BA’s mistakes.
More on Reporting HIPAA Breaches
If you have never logged HIPAA breaches, now is an excellent time to establish a process for proper reporting. You must train your employees on this process so they can help your organization maintain HIPAA compliance.
May 18, 2020
With the onset of COVID-19, many employers have had to face the possibility of the virus entering the workplace. Normally, under the Americans with Disabilities Act (ADA), employers are prohibited… Read More ›Read More
May 6, 2020
On March 13, President Donald Trump declared a national emergency in response to the rapid spread of COVID-19. Two days following this statement, the U.S. Department of Health and Human… Read More ›Read More
April 20, 2020
In this blog post, we review nine email encryption vendors (Barracuda, Egress, Hushmail, Indentillect, MailHippo, LuxSci, Protected Trust, Rmail, & Virtru) who provide HIPAA compliant email encryption services that will… Read More ›Read More