Deadline Approaches for Reporting 2012 Small Breaches

HIPAA covered entities have through Friday, March 1, 2013, to report small breaches of unsecured protected health information that occurred in calendar year 2012 to the U.S. Department of Health and Human Services (HHS). A small breach is one that involves fewer than 500 individuals. While covered entities must provide breach notification of small breaches to affected individuals without unreasonable delay (and no later than 60 days after discovery), they must report small breaches to HHS no later than 60 days after the calendar year in which the small breaches occurred (e.g., no later than March 1, 2013, for small breaches that occurred in calendar year 2012).

The recent HIPAA Omnibus Rule revised the Breach Notification Rule, but since it is not yet in effect, covered entities should continue to apply the interim final Breach Notification Rule that was published in August 2009. Under the interim final rule, covered entities need not report an impermissible acquisition, access, use, or disclosure of protected health information if the covered entity can demonstrate that the incident did not lead to a significant risk of financial, reputational, or other harm to the individual(s) whose protected health information was involved in the incident.

Business associates of covered entities should not be affected by this deadline, as their reporting obligation is solely to the covered entity and not to HHS, unless the covered entity has delegated its breach reporting obligations to the business associate.

Covered entities should report each small breach separately online at http://ocrnotifications.hhs.gov/. HHS informally has indicated that it plans on providing a means to report multiple small breaches to HHS on one report in the future. Until then, however, HHS requires a separate report for each small breach.

More than 64,000 small breaches have been reported to HHS since September 2009. Of those small breach reports, we are aware of only one that has led to a formal financial settlement. Nevertheless, it remains possible that for any small breach reported, HHS may initiate an investigation, which could lead to an enforcement action.