Deadline Approaches for Reporting 2012 Small Breaches

HIPAA covered entities have through Friday, March 1, 2013, to report small breaches of unsecured protected health information that occurred in calendar year 2012 to the U.S. Department of Health and Human Services (HHS). A small breach is one that involves fewer than 500 individuals. While covered entities must provide breach notification of small breaches to affected individuals without unreasonable delay (and no later than 60 days after discovery), they must report small breaches to HHS no later than 60 days after the calendar year in which the small breaches occurred (e.g., no later than March 1, 2013, for small breaches that occurred in calendar year 2012).

The recent HIPAA Omnibus Rule revised the Breach Notification Rule, but since it is not yet in effect, covered entities should continue to apply the interim final Breach Notification Rule that was published in August 2009. Under the interim final rule, covered entities need not report an impermissible acquisition, access, use, or disclosure of protected health information if the covered entity can demonstrate that the incident did not lead to a significant risk of financial, reputational, or other harm to the individual(s) whose protected health information was involved in the incident.

Business associates of covered entities should not be affected by this deadline, as their reporting obligation is solely to the covered entity and not to HHS, unless the covered entity has delegated its breach reporting obligations to the business associate.

Covered entities should report each small breach separately online at HHS informally has indicated that it plans on providing a means to report multiple small breaches to HHS on one report in the future. Until then, however, HHS requires a separate report for each small breach.

More than 64,000 small breaches have been reported to HHS since September 2009. Of those small breach reports, we are aware of only one that has led to a formal financial settlement. Nevertheless, it remains possible that for any small breach reported, HHS may initiate an investigation, which could lead to an enforcement action.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:


Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.