All covered entities are required to report breaches affecting 500 or fewer individuals by February 2024.
Entities regulated under HIPAA are required to notify the Department of Health and Human Services (HHS) about breaches affecting fewer than 500 individuals (otherwise known as small breaches) within sixty days following the end of the calendar year. Consequently, as a result of the leap year, the 2023 reporting deadline to HHS is set for February 29, 2024.
See also: What is a data breach?
The process of reporting the breach includes:
See also: What is the HIPAA Breach Notification Rule?
This deadline requires organizations to systematically document and report breaches, thereby fostering a culture of transparency and accountability. This directly impacts how organizations manage their PHI security protocols, encouraging them to identify vulnerabilities, implement corrective measures, and enhance their overall data protection strategies. Meeting this deadline also helps healthcare organizations avoid potential legal and financial penalties associated with non-compliance.
See also: HIPAA Compliant Email: The Definitive Guide
What information must be included in the breach notification?
The notification must include the date of the breach, the date the breach was discovered, the number of individuals affected, the type and location of breached information, a brief description of the incident, safeguards that were in place before the breach, actions taken in response to the breach, and information about notices provided to affected individuals.
What happens if an organization misses the breach notification deadline?
Failing to meet the breach notification deadline can result in regulatory penalties and fines from HHS.
Where can I find more information about HIPAA breach notification requirements?
For comprehensive guidance and resources on breach notification requirements, visit the HHS Office for Civil Rights website or consult a HIPAA compliance expert.