Upcoming Annual Deadline for HIPAA Small Breach Reporting: March 1, 2022

Arnall Golden Gregory LLP
Contact

HIPAA-covered entities should note the quickly approaching March 1, 2022 deadline for reporting breaches of unsecured protected health information that occurred in 2021 and involved fewer than 500 individuals. This article provides an overview of the legal requirements related to reporting such breaches to the U.S. Department of Health and Human Services (“HHS”).

Background

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities to notify affected individuals and the Secretary of HHS (the “Secretary”) following a breach of unsecured protected health information (“PHI”). Generally, a breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. Keep in mind that the requirement to notify the Secretary is separate from the requirement to notify individuals of a breach of their unsecured PHI, which involves different timelines and additional requirements.1

All covered entities should be alert to the likelihood of such a breach occurring and to the attendant reporting requirements. Breaches happen with marked frequency and to covered entities of all sizes. Even a cursory review of the Secretary’s website listing “Breaches Affecting 500 or More Individuals” reveals that new entries are posted weekly, and almost daily.2  Data on breaches involving fewer than 500 individuals is less readily available, but the most recent Annual Report to Congress on Breaches of Unsecured PHI show that they occur in even greater numbers than those above the 500 individual threshold.3  A misdirected email or improper access to a medical record involving even a single patient’s PHI must be reported to the Secretary if it constitutes a breach.

“Discovery” of a Breach

A breach is considered “discovered” as of the first day on which the breach is known to the covered entity, or would have been known by exercising reasonable diligence.4  Knowledge of the breach will be imputed to the covered entity if any workforce member or agent of the covered entity (other than the person committing the breach) knows of the breach or would have known by exercising reasonable diligence.5  Covered entities are also responsible for logging and notifying the Secretary of breaches that are discovered by their business associates and reported to the covered entity.6

Reporting Requirement

There are different timing requirements for reporting breaches involving fewer than 500 individuals versus those involving 500 or more individuals.7  If a breach of PHI affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. Note, however, a covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; such breaches may be reported prior to the deadline as well.8  Further, HIPAA requires a covered entity to maintain a log or other documentation of such breaches.9

While this article focuses on the upcoming March 1, 2022 deadline for reporting breaches affecting fewer than 500 individuals, covered entities should also be aware of the differences in reporting a breach affecting 500 or more individuals. These differences include required reporting to the Secretary no later than 60 calendar days after discovery of a breach, being listed on the Secretary’s website of “Breaches Affecting 500 or More Individuals,” and may also include a requirement to notify the media of the breach.10

Although HIPAA establishes the general requirement to report breaches of unsecured PHI to the Secretary, it does provide one narrow exception if “a law enforcement official states to a covered entity or business associate that [notification] would impede a criminal investigation or cause damage to national security.”11  In such a unique situation, some flexibility is afforded in the reporting requirement.12

Reporting Procedures

The Secretary maintains a web portal and requires that the portal be used for the submission of all breach notifications required to be submitted to the Secretary.13  The Secretary has posted guidance on its website stating that a covered entity “may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident.”14

Thus, covered entities should be prepared to submit notice to the Secretary through the web portal no later than March 1, 2022 of any breach of unsecured PHI discovered in 2021 which involved fewer than 500 individuals.

 

[1] 45 CFR 164.404.

[2] U.S. Dept. of Health & Human Services, Breaches Affecting 500 or More Individuals, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited Jan. 22, 2022).

[3] See, e.g., U.S. Department of Health and Human Services Office for Civil Rights, Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2019, available at https://www.hhs.gov/sites/default/files/breach-report-to-congress-2019.pdf (last visited Jan. 22, 2022).

[4] 45 CFR 164.404(a)(2).

[5] 45 CFR 164.404(a)(2).

[6] See 45 CFR 164.404(a)(1) and 164.410(1).

[7] 45 CFR 164.408.

[8] U.S. Dept. of Health & Human Services, Submitting Notice of a Breach to the Secretary, http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html (last visited Jan. 22, 2022).

[9] 45 CFR 164.408(c).

[10] U.S. Dept. of Health & Human Services, Breaches Affecting 500 or More Individuals, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited Jan. 22, 2022); 45 CFR 164.406; 45 CFR 164.408(b).

[11] 45 CFR 164.412.

[12] 45 CFR 164.412(a)–(b).

[13] Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true (last visited Jan. 22, 2022).

[14] U.S. Dept. of Health & Human Services, Submitting Notice of a Breach to the Secretary, http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html (last visited Jan. 22, 2022).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP
Contact
more
less

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.