LEAP, Don't Run, to Make this YEAR's Deadline: HIPAA Small Breach Notifications Due February 29

Apurva Dharia, Adam Greene, Rebecca Williams
Davis Wright Tremaine LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Davis Wright Tremaine LLP

Deadline approaching for submitting breach notifications to OCR

February 29, 2024, is the date by which HIPAA-covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of all "small" breaches of unsecured protected health information that were discovered during calendar year 2023. A small breach involves fewer than 500 individuals.

HIPAA Notification Requirements

HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay—and no later than 60 days after discovery. Covered entities also must report all small breaches to OCR no later than 60 days after the end of the calendar year in which the small breaches were discovered. For this year, notifications of small breaches are due on or before February 29, 2024.

Most business associates will not be affected by this deadline because their reporting obligation is to the covered entity and not to OCR. The exception occurs when the covered entity has delegated breach reporting to the business associate and the business associate has undertaken the reporting responsibility.

How to Notify OCR

Covered entities should report each small breach separately online here. OCR requires a separate report for each small breach, although we hope someday OCR will provide a means to report multiple small breaches to OCR through a single log or report.

Steps To Take for Notifications

In making these breach notifications to OCR, entities may want to consider:

  • Designating a person within the reporting entity who will be responsible for the notifications and verifying the person's availability to make the notifications in a timely manner. There have been situations when the Privacy Officer was vacationing at the time the notifications were due.
  • Preparing the contents of the notification in advance. It may be helpful to have legal counsel or other appropriate people review the notification prior to submitting to OCR. Click here for a Davis Wright Tremaine template outlining the breach notification questions for reporting through the OCR website.
  • Retaining a "receipt" of the filing of the notification or developing other documentation to demonstrate timely notification to OCR.
  • Verifying that the entity has appropriate documentation in place relating to the breach (including being able to demonstrate notification to affected individuals was sent without unreasonable delay and contained the required content).
  • Being prepared – Notifications may spur investigations and compliance reviews by OCR. Entities would be well-served to revisit the root cause of the reported breach and document the corrective actions implemented to avoid similar future breaches. Additionally, covered entities may want to verify that they are able to explain and have documentation demonstrating compliance with those HIPAA requirements that relate to the breach.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide