This is a friendly reminder to covered entities and their business associates about the deadline to notify the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) of any HIPAA breaches that were discovered in 2018 and involved fewer than 500 individuals. The deadline to report such breaches to OCR is March 1, 2019.
Under the HIPAA Breach Notification Rule, covered entities and their business associates must provide certain notice following a breach of unsecured protected health information (“PHI”). A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under HIPAA which compromises the privacy or security of the PHI. Not including the limited statutory exceptions to the definition of a breach, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
If the impermissible use or disclosure of PHI does not meet an exception under the Breach Notification Rule and if, based on the results of the aforementioned risk assessment, it is probable that the PHI has been compromised, then the covered entity or its business associate would be required to provide certain notice under HIPAA.
In the event of a breach of unsecured PHI, covered entities and their business associates must notify the affected individuals no later than 60 days following the discovery of the breach.
If the breach involves the PHI of 500 or more individuals, then, in addition to notifying affected individuals, covered entities and their business associates must notify OCR no later than 60 days following a breach. If those 500 or more individuals live in the same State or jurisdiction, then, in addition to notifying the affected individuals and OCR within 60 days, covered entities and their business associates must also notify prominent media outlets serving their State or jurisdiction within 60 days.
However, for breaches affecting fewer than 500 individuals, then, in addition to notifying affected individuals, covered entities and their business associates must notify OCR, but may do so on an annual basis. Notification of breaches affecting fewer than 500 individuals to OCR are due no later than 60 days after the end of the calendar year in which the breaches are discovered.
Therefore, if you are a covered entity or business associate and you discovered a breach involving fewer than 500 individuals in 2018, the deadline to notify OCR of such breaches is 60 days after December 31, 2018, or March 1, 2019. If you have any questions about this deadline or whether you are required to report a breach by March 1, 2019, please contact the health law attorneys at McCarty Law.
Latest posts by Lindsey Croasdale (see all)
- Reminder: Deadline to Report HIPAA Breaches is March 1, 2019 - February 12, 2019
- Health Care Providers: Looking to Improve Your Cybersecurity Compliance? - January 31, 2019
- The Right to Try in Wisconsin for Patients, Providers & Manufacturers: Part 2 - December 7, 2018
- The Right to Try in Wisconsin for Patients, Providers, and Manufacturers: Part One - November 1, 2018
- McCarty Law Step Up Challenge Winter 2018 - May 3, 2018