Reminder: HIPAA Breach Notification Deadline Fast Approaching
This is a friendly reminder to all covered entities that, by February 29, 2016, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2015 and involved fewer than 500 individuals.
As most, if not all, covered entities know, HIPAA requires covered entities to report all breaches of unsecured PHI to the Secretary. The timeline for reporting, however, differs depending on the scope of the breach.
- For any breach affecting more than 500 individuals, the Secretary must be notified without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.
- For breaches involving fewer than 500 individuals, a covered entity must keep a log of these events and report them annually to the Secretary. This annual report must be filed within 60 days following the end of the year and should include all reportable breaches that were discovered in the prior year.
Breaches discovered in 2015 and involving fewer than 500 individuals should be reported to the Secretary through the Office of Civil Rights Breach Portal no later than February 29, 2016.
Should your organization need further advice or assistance, the Troutman Sanders LLP Healthcare team is ready and able to help. Do not hesitate to contact either Steve Gravely or Erin Whaley.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.