With 2021 underway, covered entities should be mindful of the annual Health Insurance Portability and Accountability Act (HIPAA) small breach reporting deadline. HIPAA requires covered entities to report breaches of unsecured protected health information to the Secretary of the U.S. Department of Health and Humans Services (HHS). Breaches affecting fewer than 500 individuals are considered “small breaches” and must be reported no later than 60 days after the end of the calendar year in which the breach was discovered. For small breaches discovered in 2020, the deadline for reporting is March 1, 2021.
To file a HIPAA breach report, covered entities must use the HHS Office for Civil Rights breach portal. Each breach must be reported, even if it affected as few as one individual. The portal permits a business associate to report its own breach on behalf of the applicable covered entity, but the reporting obligation ultimately rests with the covered entity. Thus, a covered entity may wish to retain the reporting responsibility, or review reports prepared by a business associate on its behalf prior to filing, to ensure that they are accurate and timely. Failure to report breaches, or late reporting, can lead to fines.
For assistance submitting a breach report or with other HIPAA compliance matters, please contact Madison M. Pool or Laura S. Dona.