Don’t forget that the required end-of-the-year reporting of any small breaches of unsecured protected health information (PHI) that were discovered in 2019 is coming up. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers and health plans that are covered entities under HIPAA must report breaches of unsecured PHI affecting fewer than 500 individuals annually to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) within 60 days of the end of the year in which the breach was discovered. Reporting of breaches discovered in 2019 will be due by Saturday, February 29, 2020.
Reports may be made through OCR’s website, and a separate report must be made for each breach that occurred in the prior calendar year. The breach report requires responses to a series of questions regarding the entity that experienced the breach (either a covered entity or business associate), the timeframe and nature of the breach, types of PHI involved, number of individuals affected, the safeguards that were in place prior to the breach, the date notice was provided to affected individuals, and actions taken in response to the breach.
These small breaches should have already been reported to each of the affected individuals within 60 days of discovering the breach. Reports to OCR of large breaches (those affecting 500 or more individuals) must be made at the time of reporting to the affected individuals – that is, without delay and in no case later than 60 days from the discovery of the breach.