Pursuant to the HIPAA Breach Notification Rule, covered entities are required to notify the Secretary upon discovery of a Breach of Unsecured Protected Health Information. Breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500.
Covered entities are required to notify the Secretary of breaches affecting more than 500 individuals without unreasonable delay and in no case later than 60 days from the date of discovery of the breach. There are several states which have shorter time frames and the notification to regulators essentially must occur at the same time as the notification to individuals.
For breaches affecting fewer than 500 individuals, while the notification to individuals is made without unreasonable delay or within 60 days of the date of discovery, notification to the Secretary has an extended reporting deadline. These breaches must be filed with the Secretary within 60 days of the end of the calendar year in which a breach was discovered. Thus, all breaches impacting fewer than 500 individuals that occurred in 2021 must be reported by March 2, 2022. They should be submitted on one date, but separate notices for each breach incident are required.
All breach notifications are required to be submitted to the Secretary using a web portal on the HHS website. Given the likely high volume of reports to be made on or about March 2 and past technical issues with portal availability, we strongly advise clients to consider notification as soon as possible and generally at least a week before the deadline.
Now is the time to review your HIPAA incident log and determine whether you have any reporting obligations based on privacy and/or security incidents that occurred in 2021.