HIPAA breach deadlines refer to the maximum time limit within which covered entities and their business associates must notify affected individuals, the Secretary of the Department of Health and Human Services (HHS), and sometimes the media, in case of discovering a breach involving unsecured protected health information (PHI).
What are the deadlines for reporting breaches under HIPAA?
Before understanding the breach deadlines, note that the term "discovery" in this context is defined as the first day on which such breach is known to the covered entity or business associate. The breach deadlines include the following:
Notifying affected individuals
Deadline: No later than 60 days following the discovery of the breach.
Note: Covered entities are encouraged to notify affected individuals as soon as possible, especially if the information breached could be misused.
Notifying the Secretary of HHS
Breaches affecting 500 or more individuals: Covered entities must notify the Secretary of HHS without unreasonable delay and no later than 60 days from the breach discovery. This notification is done through the HHS website.
Breaches affecting fewer than 500 individuals: The annual notification deadline is 60 days from the end of the calendar year in which the breaches were discovered (effectively March 1 of the following year or in the case of a leap year 29 February).
See also: Leap year and the looming breach notification deadline
Notifying the media
Deadline: No later than 60 days following the discovery of the breach.
Note: The media notification is intended to reach individuals who might have been affected by the breach but whom the covered entity has been unable to contact directly. This requirement applies only to breaches that affect 500 or more individuals in a state or jurisdiction.
See also: Understanding HIPAA violations and breaches
What are the specific requirements
Notification to affected individuals
Content Requirements: The notification must be written in plain language and include, at a minimum
- A brief description of what happened, including the date of the breach and the date of the discovery, if known.
- A description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, diagnosis, treatment information, etc.).
- Steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
- Contact procedures for individuals to ask questions or learn additional information, must include a toll-free telephone number, an email address, a website, or a postal address.
Methods of notification: First-class mail to the individual's last known address, or by HIPAA compliant email if the individual has agreed to receive such notices electronically are primary methods. If contact information is insufficient or out-of-date, alternate methods of notification may be used, including posting the notice on the entity's website or issuing a press release.
Notification to the Secretary of HHS
Content requirements: Notifications to the Secretary must include similar content as individual notifications and be submitted via the HHS website. The specific information required can vary, but it generally mirrors the detail needed for individual notices.
Timing and method: For breaches affecting 500 or more individuals, notifications must be submitted electronically through the HHS Office for Civil Rights (OCR) website without unreasonable delay and no later than 60 days after discovery of the breach.
For breaches affecting fewer than 500 individuals, covered entities must maintain a log or other documentation of such breaches and submit it annually to the HHS OCR within 60 days of the calendar year's end.
See also: Top 10 HIPAA compliant email services
Notification to the media
Content requirements: The content requirements for media notifications are similar to those for notifications to affected individuals. The notice should provide the public with a clear description of the breach, the types of PHI involved, the steps affected individuals should take, and what the covered entity is doing in response.
Timing and method: For breaches affecting 500 or more individuals in a particular state or jurisdiction, covered entities must notify prominent media outlets serving the state or jurisdiction without unreasonable delay, no later than 60 days after the discovery of the breach.
Are there any exceptions to the notification requirements?
If the breached information is encrypted or destroyed according to HHS standards, making it unreadable, unusable, or indecipherable to unauthorized persons, no notification is needed. Similarly, if a risk assessment concludes that there is a low probability of the PHI being compromised, based on factors like the nature of the PHI and the unauthorized person's potential to use it, then notification may be deemed unnecessary. Incidental disclosures that are a by-product of lawful uses or disclosures and could not be reasonably prevented also do not trigger the notification requirement.
FAQs
What is a breach of HIPAA rules?
A breach of HIPAA rules is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.
What are the four criteria used to determine a breach occurred?
The four criteria used to determine if a breach occurred are the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been avoided.
When must an organization conduct a breach risk assessment?
An organization must conduct a breach risk assessment whenever there is an impermissible use or disclosure of PHI to determine the probability that the PHI has been compromised.
Kirsten Peremore
