Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Healthcare

Deadline Approaches for Reporting 2012 Small Breaches

By  Adam H. Greene and Rebecca L. Williams
02.25.13
Share
Print this page

HIPAA covered entities have through Friday, March 1, 2013, to report small breaches of unsecured protected health information that occurred in calendar year 2012 to the U.S. Department of Health and Human Services (HHS). A small breach is one that involves fewer than 500 individuals. While covered entities must provide breach notification of small breaches to affected individuals without unreasonable delay (and no later than 60 days after discovery), they must report small breaches to HHS no later than 60 days after the calendar year in which the small breaches occurred (e.g., no later than March 1, 2013, for small breaches that occurred in calendar year 2012).

The recent HIPAA Omnibus Rule revised the Breach Notification Rule, but since it is not yet in effect, covered entities should continue to apply the interim final Breach Notification Rule that was published in August 2009. Under the interim final rule, covered entities need not report an impermissible acquisition, access, use, or disclosure of protected health information if the covered entity can demonstrate that the incident did not lead to a significant risk of financial, reputational, or other harm to the individual(s) whose protected health information was involved in the incident.

Business associates of covered entities should not be affected by this deadline, as their reporting obligation is solely to the covered entity and not to HHS, unless the covered entity has delegated its breach reporting obligations to the business associate.

Covered entities should report each small breach separately online at http://ocrnotifications.hhs.gov/. HHS informally has indicated that it plans on providing a means to report multiple small breaches to HHS on one report in the future. Until then, however, HHS requires a separate report for each small breach.

More than 64,000 small breaches have been reported to HHS since September 2009. Of those small breach reports, we are aware of only one that has led to a formal financial settlement. Nevertheless, it remains possible that for any small breach reported, HHS may initiate an investigation, which could lead to an enforcement action. 

Related Articles

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.