Head’s up! The deadline for notifying the Office for Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year. Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29th.
The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities to provide notification following a breach of unsecured protected health information (PHI) to affected individuals, to OCR, and, in certain circumstances, to the media.
HIPAA covered entities must notify all individuals whose PHI has been impermissibly used or disclosed without unreasonable delay, and in no case later than 60 days from the discovery of a breach.
Reporting to OCR is accomplished by electronically submitting a breach report form. If a breach affects 500 or more individuals, then covered entities must submit the breach report to OCR without unreasonable delay and in no case later than 60 days following a breach. If, however, the breach affects fewer than 500 individuals, then the covered entity may choose to submit such breach reports on an annual basis. (Note that covered entities must submit a separate breach report for each breach incident and cannot combine them.) Annually submitted breach reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches are discovered, which falls on February 29, 2024. In addition to notifying the individual and OCR, covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.
Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.
If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526
wyatthitechlaw.com 