HIPAA covered entities are required to submit reports of smaller breaches that occurred during calendar year 2010 to the Office for Civil Rights (“OCR”) by March 1, 2011 pursuant to the HIPAA Breach Notification Rule. Reports must be submitted electronically through OCR’s breach notification web page at:
The Breach Notification Rule requires covered entities to issue notifications of breaches of unsecured protected health information (“PHI”) that compromise the security or privacy of the PHI, unless an exception applies. “Compromises the security or privacy” of the PHI means a HIPAA Privacy Rule violation that poses a “significant risk of financial, reputational, or other harm to the individual.” Covered entities are encouraged to conduct a risk assessment to determine if an incident compromised the security or privacy of the PHI prior to issuing breach notifications.
Business associates are required to issue breach notifications to covered entities pursuant to the Breach Notification Rule and the parties’ business associate agreement.
Covered entities are required to notify individuals of breaches without unreasonable delay and in no case later than 60 days following the breach. This is true regardless of how many individuals were affected by the breach. In all cases where notification is provided to individuals, covered entities are required to also report those breaches to OCR. For smaller breaches, i.e., those affecting fewer than 500 individuals, reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches occurred. This means that annual reports are due by March 1 for the prior calendar year. For larger breaches impacting 500 or more individuals, notifications must be reported to OCR contemporaneously with the notice to the individuals.
The breach report to OCR must contain the following information:
Covered entity’s contact information (and business associate contact information if applicable);
A brief description of the breach, including the number of individuals affected, the date of the breach, the date of discovery, and the types of PHI involved;
The safeguards in place prior to the breach;
The date the individual(s) were notified, and whether substitute notice and/or media notice were required; and
Actions taken in response to the breach.
If you need additional information about this topic, please contact