Due date for Reporting 2021 PHI Breaches Impacting Less Than 500 People

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule strictly limits the time for sending notification letters to people who had their protected health information (PHI) exposed or impermissibly disclosed. The breached entity has up to 60 days from the time of data breach discovery to send notifications to affected individuals. However, notification letters must be provided “without unreasonable delay.”

Besides sending breach notification letters to people impacted by a data breach, the HIPAA Breach Notification Rule likewise requires sending notifications to the Secretary of the Department of Health and Human Services (HHS) concerning a data breach. The time frame for sending that notification is dependent on the number of people impacted by the data breach.

In case a data breach impacts 500 and up persons, the Secretary of the HHS should likewise be informed without unreasonable delay and no longer than 60 calendar days following the breach discovery. When all data concerning the breach is not known in 60 days, the breach report must still be submitted to the HHS, and it could be corrected later on when additional information is available.

In case a data breach has impacted less than 500 people, HIPAA-regulated entities can report the breaches later to the HHS. However, the time period for sending individual notices remains 60 days from the time of discovering the breach, irrespective of how many people were impacted.

The due date for sending reports of breaches involving less than 500 individuals’ PHI to the HHS is 60 days from the last day of the calendar year during which the breach was identified. So, all PHI breaches identified in 2021 that impacted the PHI of less than 500 people ought to be reported to the Secretary of the HHS no after March 1, 2022, 11:59:59 p.m. Every breach should be reported to the HHS individually through the breach reporting program on the HHS portal.

A lot of HIPAA-regulated entities do not report their breaches until the reporting deadline is close at hand, therefore the breach reporting website will likely see a lot of traffic when the due date approaches, which can possibly cause accessibility issues. It is consequently a good idea to report breaches much earlier than the breach reporting due date.

You ought to remember that a number of states have approved laws that cover data breach reporting, and the time period for submitting breach reports may be shorter compared to those of the HIPAA Breach Notification Rule. In a lot of instances, HIPAA-regulated entities are not affected by state breach notification laws as long as they adhere to the reporting conditions of HIPAA. In case they aren’t compliant with the Breach Notification Rule, an investigation by the state attorneys general may lead to the issuance of civil monetary penalties for HIPAA or state regulations violations.