Reporting Deadline for 2022 Small HIPAA Breaches: March 1, 2023

With 2023 underway, healthcare providers and other “covered entities,” as defined under the Health Insurance Portability and Accountability Act (“HIPAA”), should be mindful of the upcoming annual reporting deadline for small breaches on March 1, 2023.

As part of their responsibilities under the HIPAA Breach Notification Rule, covered entities are required to notify the Secretary of HHS (“Secretary”) of any breach of unsecured protected health information (“PHI”), regardless of size. Each breach must be reported, even if it affected as few as one individual. In instances when a breach of PHI affects fewer than 500 individuals, the HHS Office for Civil Rights (“OCR”) characterizes the breach as a “small” breach and requires the covered entity to notify the Secretary of the breach no later than 60 days after the end of the calendar year in which the breach was discovered. Note that this deadline differs from the requirement to report larger breaches — those affecting 500 or more individuals — no later than 60 calendar days after discovery of a breach.

The HIPAA regulations provide that a breach is considered “discovered” as of the first day on which the breach is known to the covered entity or would have been known by exercising reasonable diligence. The knowledge standard is also not limited to particular individuals within an organization. Instead, “knowledge” of the breach will be imputed to the covered entity if any workforce member or agent of the covered entity (other than the person committing the breach) knows of the breach or would have known of the breach through reasonable diligence.

No later than March 1, 2023, covered entities must file a HIPAA breach report using the OCR breach portal for small breaches discovered in 2022. The Secretary requires that a separate notice be submitted for each breach incident. Thus, depending on the number of small breaches discovered in the prior calendar year, the time required to complete the reporting could be significant. Although a covered entity may choose to report all of its breaches affecting fewer than 500 individuals on one date, it is not required to do so, nor is it required to wait until the March 1 deadline. Failure to report breaches, or late reporting, can lead to fines and other OCR enforcement actions.

For assistance analyzing whether a particular occurrence constitutes a reportable breach or for guidance with other HIPAA compliance matters, including obligations related to submitting a breach report, please contact AGG Healthcare partners Lanchi Bombalier or Madison Pool.