Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Deadline to Report 2023 Small Breaches to Health and Human Services (HHS)

HIPAA breaches affecting less than 500 individuals in 2023 must be reported to the US Department of Health and Human Services by March 1, 2024

 An organization has two options when reporting:

  1. Report these small breaches to HHS as they occur, or
  2. Collect the details of these HIPAA breaches and report them to the Secretary of HHS within 60 days of the end of the calendar year (following the year in which the breaches occurred).

Either way, you must log every breach as it happens. Include every breach in your log, regardless of how minor the incident is or how few individuals are involved.

How to Report a Breach to HHS

Covered Entities and Business Associates must notify the Secretary of HHS by electronically submitting a breach report on the HHS website here.

If the Covered Entity or Business Associate discovers additional information later, they should submit updates as indicated on the HHS form. If the Covered Entity or Business Associate decides to report all breaches affecting fewer than 500 individuals on one date, they must file a separate notice for each incident.

Definition of HIPAA Breaches

A simple oversight or event may qualify as a HIPAA breach. Here are a few examples from the HHS website:

  1. A municipal social service agency disclosed PHI while processing Medicaid applications. They sent consolidated data to computer vendors that were not Business Associates.
  2. A mental health center did not provide a Notice of Privacy Practices to a father or his minor daughter, a patient at the center.
  3. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.
  4. A grocery store-based pharmacy chain maintained pseudoephedrine logbooks containing PHI in a manner that made individual PHI visible. So that individual PHI was visible to the public at the pharmacy counter.
  5. A law firm working on behalf of a pharmacy chain impermissibly disclosed the PHI of a pharmacy customer. The pharmacy chain and the law firm had not entered into a Business Associate Agreement.

You can view the full list of HHS examples here.

Neglecting to log HIPAA breaches, however, carries serious consequences and can lead to significant fines and penalties. HHS sees this as a failure to cooperate.

What if My Business Associate Logged the HIPAA Breach?

Suppose your Business Associate logged the breach and you have designated them as responsible for reporting. In that case, you will want to review the breach report before they file it to ensure it contains correct information.

Additionally, we advise following up with them before the deadline (Wednesday, March 1, 2024) to ensure they filed the report. Above all, maintaining a signed Business Associate Agreement protects you from being held liable for your Business Associate’s or Business Associate Subcontractor’s mistakes.

More on Reporting HIPAA Breaches

If you have never logged HIPAA breaches, now is an excellent time to establish a process for proper reporting. You must train your employees on this process so they can help your organization maintain HIPAA compliance.

If you need help, this link to the HHS website will guide you through the process. If you have trouble getting started, email ocrprivacy@hhs.gov or call (800)-368-1019 or (800)-537-7697.

Need Help?

Our HIPAA compliance services help ensure your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA-compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)