Despite all that made 2020 an unusual year, data security incidents did not slow down. For organizations that are covered by the Health Insurance Portability and Accountability Act (HIPAA), the deadline to report small incidents is fast approaching. Organizations that experienced a data security incident in 2020, which affected the protected health information (PHI) of less than 500 individuals, have until March 1, 2021 to submit their notification to the U.S. Department of Health & Human Services' Office for Civil Rights (HHS/OCR).
Under the HIPAA Breach Notification Rule, a covered entity or business associate is required to report a breach that affected fewer than 500 people to HHS/OCR no later than 60 days after the end of the prior calendar year. This year, a covered entity or business associate has until March 1, 2021 to submit its 2020 small breach reports to the agency.
Organizations that still need to report an incident to HHS/OCR should visit the agency's online portal.
For more information on this deadline, contact the author of this post or visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area. Subscribe to this blog to receive email alerts when new posts go up.
**Please consider nominating our national Data Privacy & Cybersecurity Team for the 2021 Advisen Cyber Risk Awards in any or all of the following categories: Cyber Risk Event Response Team of the Year, Cyber Risk Pre-Breach Team of the Year, and Cyber Law Firm of the Year. Nominations close Friday, February 26. Submit your nominations for Lewis Brisbois here.**
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.