Reporting Deadline for 2022 Small HIPAA Breaches: March 1, 2023

Lanchi Nguyen Bombalier, Madison Pool
Arnall Golden Gregory LLP
Contact
LinkedIn
Facebook
X
Send
Embed

With 2023 underway, healthcare providers and other “covered entities,” as defined under the Health Insurance Portability and Accountability Act (“HIPAA”), should be mindful of the upcoming annual reporting deadline for small breaches on March 1, 2023.

As part of their responsibilities under the HIPAA Breach Notification Rule, covered entities are required to notify the Secretary of HHS (“Secretary”) of any breach of unsecured protected health information (“PHI”), regardless of size. Each breach must be reported, even if it affected as few as one individual. In instances when a breach of PHI affects fewer than 500 individuals, the HHS Office for Civil Rights (“OCR”) characterizes the breach as a “small” breach and requires the covered entity to notify the Secretary of the breach no later than 60 days after the end of the calendar year in which the breach was discovered. Note that this deadline differs from the requirement to report larger breaches — those affecting 500 or more individuals — no later than 60 calendar days after discovery of a breach.

The HIPAA regulations provide that a breach is considered “discovered” as of the first day on which the breach is known to the covered entity or would have been known by exercising reasonable diligence. The knowledge standard is also not limited to particular individuals within an organization. Instead, “knowledge” of the breach will be imputed to the covered entity if any workforce member or agent of the covered entity (other than the person committing the breach) knows of the breach or would have known of the breach through reasonable diligence.

No later than March 1, 2023, covered entities must file a HIPAA breach report using the OCR breach portal for small breaches discovered in 2022. The Secretary requires that a separate notice be submitted for each breach incident. Thus, depending on the number of small breaches discovered in the prior calendar year, the time required to complete the reporting could be significant. Although a covered entity may choose to report all of its breaches affecting fewer than 500 individuals on one date, it is not required to do so, nor is it required to wait until the March 1 deadline. Failure to report breaches, or late reporting, can lead to fines and other OCR enforcement actions.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP
Arnall Golden Gregory LLP
Contact
more
less

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide