March 1, 2014 is Deadline to Report Breaches Affecting Less than 500

strike before midnightSaturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all “small breaches” of unsecured protected health information that occurred during 2013.  Entities subject to this deadline include a health care provider that conducts certain transactions in electronic form, health plans and health care clearinghouses.  A “small breach” is a breach affecting less than 500 individuals.

Although affected individuals must be notified within 60 days of the breach’s discovery, the breach itself also must be reported to OCR within 60 days of the close of the calendar year in which it was discovered, or by March 1 of the following year.  The notice must be submitted electronically.  A separate breach notification form must be completed for each breach.  To submit breach notification reports to OCR, click here.

Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013.  It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR.  For more information about the LoProCo analysis, see our previous post on December 1, 2013, here.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.