Skip to Main Content
 
Thought Leadership

Deadline for HIPAA Breach Notification Approaching

 
January 13, 2015

Related Industry:

Healthcare
 
Alerts

Under HIPAA rules, covered entities are required to report breaches of unsecured protected health information (PHI) to the Secretary of the Office of Civil Rights (OCR). The deadline for reporting breaches of PHI discovered during 2014 that affected fewer than 500 individuals is March 1, 2015.

The U.S. Department of Health & Human Services Office for Civil Rights website (www.hhs.gov/ocr) states the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.

Breaches involving more than 500 individuals must be reported within 60 days of discovery of the breach.

Reports should be made electronically on the U.S. Department of Health & Human Services Office for Civil Rights website: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/.

What This Means to You

If you discovered a breach of unsecured PHI during 2014, you must take action. Breaches involving more than 500 individuals must be reported within 60 days of discovery of the breach. Breaches involving fewer than 500 individuals must be reported by March 1, 2015. If you fail to comply, you will be in violation of HIPAA, and penalties for noncompliance may be issued.

Professional:

Deborah C. Hiser

Senior Counsel