No Privacy Breach is too small…March 1st is the deadline for HIPAA Covered Entities to file their annual breach reports with the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR).  HHS has indicated that failure to do so will likely constitute “willful neglect,” thereby triggering mandatory penalties if discovered.

While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery, breaches involving less than 500 individuals can be documented throughout the course of the year and reported by March 1, 2020 using the following guidelines:

  1. Submit to OCR notice of breaches/potential breaches of unsecured Protected Health Information (PHI), that affected fewer than 500 individuals per incident, that occurred during the preceding year, by March 1st every year.
  2. If the occurrence date, or the discovery date was in 2019, then this notification is required even if the assessment, mitigation, or notification process is ongoing.
  3. If more details about the event unfold during 2020, then it is possible to augment the initial report for a 2019 event.

This notice must be submitted electronically by completing all information required on the breach notification form, located on the HHS site

1. A separate form must be completed for each breach that has occurred during the calendar year.

  • It is not necessary to provide a separate report for each individual person affected by a breach.
  • The details of all “small” PHI breaches can be entered sequentially on the same day; but each breach must be reported as a separate event. The order of report entry does not need to be in the chronological order of the breach occurrence or discovery.
  • The reports must be uploaded separately to the breach portal, versus together in a batch.

2. Covered entities should analyze each potential breach under the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations, including:

  • documenting incident reports;
  • risk of harm analyses; and
  • notification documents, where applicable.

The BlueOrange Compliance Breach procedures conform to these expectations. BlueOrange Compliance will work with current clients, and if needed the client’s legal counsel, in determining which incidents to include on the annual breach report.