HIPAA-covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of "small" breaches of unsecured protected health information that were discovered during calendar-year 2022 no later than March 1, 2023. A small breach involves fewer than 500 individuals.
HIPAA Small Breach Notification Requirements
HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay—and no later than 60 days after discovering the breach. Covered entities also must report small breaches to OCR no later than 60 days after the end of the calendar year in which the small breaches were discovered. For this year, notifications of small breaches for 2022 are due on or before March 1, 2023.
Most business associates will not be affected by this deadline because their reporting obligation is to the covered entity and not to OCR, unless the covered entity has delegated its breach reporting obligations to the business associate.
How to Notify OCR
Reporting entities should report each small breach separately online here. OCR requires a separate report for each small breach, although we hope someday OCR will provide a means to report multiple small breaches to OCR in a single report.
Steps to Take for Notifications
In making these notifications, entities providing OCR breach notification may consider:
- Designating a person within the reporting entity who will be responsible for the notifications and verifying the person's availability to make the notifications in a timely manner.
- Preparing the contents of the notification in advance. It may be helpful to have legal counsel or other appropriate people review the notification prior to submitting it to OCR. Click here for a DWT template outlining the breach notification questions for reporting through the OCR website.
- Printing out and retaining a "receipt" of the filing of the notification or developing other documentation to demonstrate timely notification to OCR.
- Verifying that the entity has appropriate documentation in place relating to the breach (such as being able to demonstrate notification was sent without unreasonable delay and included the required content).
- Being prepared. Notifications may spur investigations and compliance reviews by OCR. Although in the past OCR initiated investigations of only a few small breaches, covered entities would be well-served to revisit the root cause of the reported breach and document the corrective actions and other mitigations implemented to avoid similar breaches in the future. Additionally, covered entities may want to verify that they are able to explain and have documentation demonstrating compliance with the HIPAA requirements that relate to the breach (such as a risk analysis and a risk management plan for a breach of unsecured electronic protected health information).
If you need assistance reporting a breach, then please contact our 24/7 Breach Response team at 844-GoToDWT (844-468-6398) to speak with a trained incident responder or contact your Davis Wright attorney.