Leap year and the looming breach notification deadline

All covered entities are required to report breaches affecting 500 or fewer individuals by February 2024. 

What happened

Entities regulated under HIPAA are required to notify the Department of Health and Human Services (HHS) about breaches affecting fewer than 500 individuals (otherwise known as small breaches) within sixty days following the end of the calendar year. Consequently, as a result of the leap year, the 2023 reporting deadline to HHS is set for February 29, 2024.

See also: What is a data breach?

In the know

The process of reporting the breach includes: 

1. Detect and document the breach: Identify any unauthorized access, use, or disclosure of PHI. Organizations should also document all details about the breach, including how it occurred, the type of information involved, and the number of individuals affected.
2. Perform a risk assessment: Assess the severity of the breach, including the potential harm to affected individuals. 
3. Notify affected individuals: Notify individuals affected by the breach without unreasonable delay and no later than 60 days after discovering the breach.
4. Notify the secretary of HHS: For breaches affecting fewer than 500 individuals, compile and submit the report to HHS within 60 days after the end of the calendar year in which the breaches were discovered.
5. Submit the breach report to HHS: Use the HHS Office for Civil Rights' online breach reporting portal to submit the breach notification.

See also: What is the HIPAA Breach Notification Rule?

Why it matters

This deadline requires organizations to systematically document and report breaches, thereby fostering a culture of transparency and accountability. This directly impacts how organizations manage their PHI security protocols, encouraging them to identify vulnerabilities, implement corrective measures, and enhance their overall data protection strategies. Meeting this deadline also helps healthcare organizations avoid potential legal and financial penalties associated with non-compliance. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What information must be included in the breach notification?

The notification must include the date of the breach, the date the breach was discovered, the number of individuals affected, the type and location of breached information, a brief description of the incident, safeguards that were in place before the breach, actions taken in response to the breach, and information about notices provided to affected individuals.

What happens if an organization misses the breach notification deadline?

Failing to meet the breach notification deadline can result in regulatory penalties and fines from HHS. 

Where can I find more information about HIPAA breach notification requirements?

For comprehensive guidance and resources on breach notification requirements, visit the HHS Office for Civil Rights website or consult a HIPAA compliance expert.