Due date for Reporting 2021 PHI Breaches Impacting Less Than 500 Persons

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule sets a tough time period on distributing notices to persons whose protected health information (PHI) was compromised or impermissibly disclosed. The utmost time frame is 60 days since discovering the security breach, even though notification letters must be sent “without unreasonable delay.”

Aside from mailing notification letters to persons affected by a data breach, the HIPAA Breach Notification Rule additionally necessitates the Secretary of the Department of Health and Human Services (HHS) to be advised concerning a data breach. The time frame for mailing that notification is based on the number of people impacted by the information breach.

If a data breach is suffered that impacts 500 and up persons, the Secretary of the HHS should be informed with no unreasonable delay also and not later than 60 calendar days right after the discovery of a breach. When all data is not available regarding the breach in 60 days, the HHS must still be notified concerning the breach, and it could be changed at a later date when more details are identified.

If a data breach has affected less than 500 people, HIPAA-regulated entities get more time to submit the breach report to the HHS. N.B. the time period for individual communication continues to be 60 days from the time of discovering the breach, no matter how many persons were impacted.

The deadline for reporting breaches involving the PHI of fewer than 500 people to the HHS is 60 days beginning with the end of the calendar year during which the breach was uncovered. So all PHI breaches found in 2021 that affected the PHI of less than 500 persons needs to be reported to the Secretary of the HHS on or before 11:59:59 p.m. on March 1, 2022. Every breach ought to be reported to the HHS independently using the breach reporting program on the HHS portal.

Numerous HIPAA-regulated entities won’t complete their breach reporting until near the reporting due date, thus the breach reporting site will probably see high amounts of traffic while the deadline approaches, which can likely cause accessibility concerns. It is therefore a good idea to report any breaches earlier than the breach reporting deadline.

You ought to remember that various states have approved laws addressing the submission of data breach reports, and the time period for reporting breaches can be less than those of the HIPAA Breach Notification Rule. In a number of cases, HIPAA-regulated entities are not covered by state breach notification regulations as long as they follow the reporting prerequisites of HIPAA. If they do not comply with the Breach Notification Rule, state attorneys general could choose to investigate, and civil monetary penalties may be enforced for breach of HIPAA or state rules.