Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Healthcare

HIPAA Small Breach Notification Due March 1: “In Like a Lion, Out Like a Lamb” if You Submit Timely

By  Rebecca L. Williams
02.09.17
Share
Print this page

March 1, 2017 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2016. A small breach involves fewer than 500 individuals.

HIPAA Notification Requirements. HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay—and not later than 60 days after discovery. Covered entities also must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered. For this year, notifications of small breaches are due no later than March 1, 2017.

Most business associates will not be affected by this deadline because their reporting obligation is to the covered entity and not to OCR, unless the covered entity has delegated its breach reporting obligations to the business associate.

How to Notify OCR. Covered entities should report each small breach separately online at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

OCR requires a separate report for each small breach, although we hope someday OCR will provide a means to report multiple small breaches to OCR through a single log or report.

Steps to Take for Notifications. In making these notifications, covered entities may consider:

  • Designating a person within the covered entity who will be responsible for the notifications and verifying the person’s availability to make the notifications in a timely manner. There have been situations when the Privacy Officer was vacationing at the time the notifications were due.
  • Preparing the contents of the notification in advance. It may be helpful to have legal counsel or other appropriate people review the notification prior to submitting to OCR. Click here for a Davis Wright document outlining the notification questions on the OCR website.
  • Printing out and retaining a “receipt” of the filing of the notification or developing other documentation to demonstrate timely notification to OCR.
  • Verifying that the covered entity has appropriate documentation in place relating to the breach (including being able to demonstrate notification was without unreasonable delay).
  • Being prepared – Notifications may spur investigations and compliance reviews from OCR.

Related Articles

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.