HIPAA-covered entities should note the quickly approaching March 1, 2022 deadline for reporting breaches of unsecured protected health information that occurred in 2021 and involved fewer than 500 individuals. This article provides an overview of the legal requirements related to reporting such breaches to the U.S. Department of Health and Human Services (“HHS”).

Background

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities to notify affected individuals and the Secretary of HHS (the “Secretary”) following a breach of unsecured protected health information (“PHI”). Generally, a breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. Keep in mind that the requirement to notify the Secretary is separate from the requirement to notify individuals of a breach of their unsecured PHI, which involves different timelines and additional requirements.¹

All covered entities should be alert to the likelihood of such a breach occurring and to the attendant reporting requirements. Breaches happen with marked frequency and to covered entities of all sizes. Even a cursory review of the Secretary’s website listing “Breaches Affecting 500 or More Individuals” reveals that new entries are posted weekly, and almost daily.²  Data on breaches involving fewer than 500 individuals is less readily available, but the most recent Annual Report to Congress on Breaches of Unsecured PHI show that they occur in even greater numbers than those above the 500 individual threshold.³  A misdirected email or improper access to a medical record involving even a single patient’s PHI must be reported to the Secretary if it constitutes a breach.

“Discovery” of a Breach

A breach is considered “discovered” as of the first day on which the breach is known to the covered entity, or would have been known by exercising reasonable diligence.⁴  Knowledge of the breach will be imputed to the covered entity if any workforce member or agent of the covered entity (other than the person committing the breach) knows of the breach or would have known by exercising reasonable diligence.⁵  Covered entities are also responsible for logging and notifying the Secretary of breaches that are discovered by their business associates and reported to the covered entity.⁶

Reporting Requirement

There are different timing requirements for reporting breaches involving fewer than 500 individuals versus those involving 500 or more individuals.⁷  If a breach of PHI affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. Note, however, a covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; such breaches may be reported prior to the deadline as well.⁸  Further, HIPAA requires a covered entity to maintain a log or other documentation of such breaches.⁹

While this article focuses on the upcoming March 1, 2022 deadline for reporting breaches affecting fewer than 500 individuals, covered entities should also be aware of the differences in reporting a breach affecting 500 or more individuals. These differences include required reporting to the Secretary no later than 60 calendar days after discovery of a breach, being listed on the Secretary’s website of “Breaches Affecting 500 or More Individuals,” and may also include a requirement to notify the media of the breach.¹⁰

Although HIPAA establishes the general requirement to report breaches of unsecured PHI to the Secretary, it does provide one narrow exception if “a law enforcement official states to a covered entity or business associate that [notification] would impede a criminal investigation or cause damage to national security.”¹¹  In such a unique situation, some flexibility is afforded in the reporting requirement.¹²

Reporting Procedures

The Secretary maintains a web portal and requires that the portal be used for the submission of all breach notifications required to be submitted to the Secretary.¹³  The Secretary has posted guidance on its website stating that a covered entity “may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident.”¹⁴

Thus, covered entities should be prepared to submit notice to the Secretary through the web portal no later than March 1, 2022 of any breach of unsecured PHI discovered in 2021 which involved fewer than 500 individuals.

[1] 45 CFR 164.404.

[2] U.S. Dept. of Health & Human Services, Breaches Affecting 500 or More Individuals, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited Jan. 22, 2022).

[3] See, e.g., U.S. Department of Health and Human Services Office for Civil Rights, Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2019, available at https://www.hhs.gov/sites/default/files/breach-report-to-congress-2019.pdf (last visited Jan. 22, 2022).

[4] 45 CFR 164.404(a)(2).

[5] 45 CFR 164.404(a)(2).

[6] See 45 CFR 164.404(a)(1) and 164.410(1).

[7] 45 CFR 164.408.

[8] U.S. Dept. of Health & Human Services, Submitting Notice of a Breach to the Secretary, http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html (last visited Jan. 22, 2022).

[9] 45 CFR 164.408(c).

[10] U.S. Dept. of Health & Human Services, Breaches Affecting 500 or More Individuals, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited Jan. 22, 2022); 45 CFR 164.406; 45 CFR 164.408(b).

[11] 45 CFR 164.412.

[12] 45 CFR 164.412(a)–(b).

[13] Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true (last visited Jan. 22, 2022).

[14] U.S. Dept. of Health & Human Services, Submitting Notice of a Breach to the Secretary, http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html (last visited Jan. 22, 2022).