The last day for reporting healthcare data breaches involving less than 500 records that were identified in 2020 is on March 1, 2021. Until then, HIPAA-covered entities and business associates can submit their breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR). Reports of breaches discovered from January 1, 2020 to December 31, 2020 must be submitted.
Under the HIPAA Privacy Rule, a breach is defined as an impermissible use or disclosure of protected health information (PHI) that compromises its security or privacy. An impermissible use or disclosure of PHI is assumed to be a breach except if the covered entity or business associate is able to demonstrate a low possibility that the PHI was compromised. There must be a risk assessment performed to decide the possibility of PHI compromise. The assessment should include the nature and magnitude of PHI affected, the possibility of identification of persons; the individual who used or disclosed the PHI; whether PHI was seen or obtained by an unauthorized person; and the degree to which risk was alleviated.
The HIPAA Breach Notification Rule calls for the issuance of notifications to affected persons 60 days after discovering a breach. All breaches, even security incidents and privacy breaches impacting just one patient must be reported to OCR. Regarding breaches that affect 500 or more persons, OCR should likewise be informed within 60 days. Concerning a smaller breach, the entity must still notify the patients within 60 days, however, there is no need to notify OCR until 60 days from the ending of the calendar year when the breach was identified.
Breach reports must be sent to OCR digitally through the OCR breach reporting website. Although smaller breach reports may be submitted ‘together’ before the deadline through the website, every incident ought to be reported separately. Because facts of the breach should be given, which include contact details, the nature of the breach, and the actions undertaken after the breach, submitting these breach reports may take a while. The best way to do it is to submit breach reports all through the year as soon as adequate data regarding the nature, scope, and reason behind the breaches are identified, instead of putting it off until the due date.
The inability to submit small healthcare data breach reports prior to the deadline may result in the issuance of sanctions and penalties on the covered entity or business associate.