This is a friendly reminder to all covered entities that, by March 1, 2017, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2016 and involved fewer than 500 individuals.
As most, if not all, covered entities know, HIPAA requires covered entities to report all breaches of unsecured PHI to the Secretary. The timeline for reporting, however, differs depending on the scope of the breach.
For any breach affecting more than 500 individuals, the Secretary must be notified without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.
For breaches involving fewer than 500 individuals, a covered entity must keep a log of these events and report them annually to the Secretary. This annual report must be filed within 60 days following the end of the year and should include all reportable breaches that were discovered in the prior year.
Breaches discovered in 2016 and involving fewer than 500 individuals should be reported to the Secretary through the Office of Civil Rights Breach Portal no later than March 1, 2017.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
