Deadline for Reporting 2019 Healthcare Data Breaches With Fewer than 500 Health Records

The HIPAA Breach Notification Rule (45 C.F.R. § 164.408) requires healthcare organizations to report data breaches of 500 or more health records to the Secretary of the Department of Health and Human Services (HHS) no later than 60 days following the discovery of a breach. Breaches of less than 500 health records could be reported to the DHS at any time as long as it is no later than 60 days from the end of the calendar year when the data breach occurred.

That means smaller healthcare data breaches should generally be reported to the HHS by March 1 each year. However, because this year is a leap year, February has an extra day. And so the deadline for reporting smaller breaches is earlier by one day or no later than February 29, 2020.

All breaches should be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach should be reported independently including all the information concerning each breach. In the event that there are a number of small data breaches experienced in the 2020 calendar year, submitting breach reports might take more time. It is thus recommended not to wait until the last minute to send the data breach reports to make sure not to miss the deadline. When data breach reports are submitted later than the 60-day deadline, there will be financial penalties.

When the number of individuals affected by a breach is not yet determined, an estimated number of people affected by the breach should be provided. It is not permissible to delay breach reporting. If the actual number of affected individuals is known, there must be a submission of an addendum. Addenda must also be utilized to update breach reports when there are additional data regarding the breach.