February 2016: The Month of Groundhog Day, Super Bowl 50, Valentine’s Day … and HIPAA Breach Notifications

Feb. 29, 2016, a/k/a Leap Day, is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2015.

A small breach involves fewer than 500 individuals. While HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay (and no later than 60 days after discovery), covered entities must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered—for this year, no later than Feb. 29, 2016.

Business associates of covered entities should not be affected by this deadline, as their reporting obligation is to the covered entity and not to OCR, unless the covered entity has delegated its breach reporting obligations to the business associate.

How to Notify

Covered entities should report each small breach separately online athttps://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf. OCR has indicated for the last seven years that it plans to provide a means to report multiple small breaches to OCR through a single log or report in the future. As it still has not done so, OCR requires a separate report for each small breach.

Continue reading here.