Deadline for Reporting “Small” 2015 HIPAA Breaches Approaching

Deadline for Reporting “Small” 2015 HIPAA Breaches Approaching


For those covered entities who experienced one or more HIPAA breaches involving less than 500 individuals during the calendar year 2015, the deadline for reporting those breaches to the Secretary of the U.S. Department of Health and Human Services (“HHS”) is Monday, February 29, 2016.

Covered entities are required by law to report a “breach,” as that term is defined by the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the regulations thereunder (collectively, “HIPAA”), to the individual(s) affected, the HHS Secretary and, for large breaches (affecting five hundred or more individuals), to the media.  With a few exceptions, HIPAA defines a “breach” as an impermissible acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information.

For breaches involving less than five hundred individuals, a covered entity may maintain a log and collectively report all such breaches occurring during a calendar year within sixty days of the end of the calendar year.  The sixtieth day of calendar year 2016 is February 29, 2016.  Breaches involving five hundred or more individuals are to be reported separately to the HHS Secretary --within sixty days of the discovery of the breach, and contemporaneously with notification to the individuals involved.  Failure to report a HIPAA breach in a timely manner may lead to separate and distinct penalties for the covered entity and or the covered entity’s business associate(s).

For a covered entity who has delegated the responsibility for breach reporting to a business associate, the covered entity should confirm that the business associate files the report in a timely manner.  The best practice would be for the covered entity to review the breach report before it is filed with HHS to ensure that it is accurate.

Employers with self-insured health plans that are covered entities and that were affected by one of the several large scale data breaches that occurred in 2015 (Anthem, Premera, etc.) should do the following, if the breach has not already been reported to HHS: (1) make sure to understand and confirm who will do the reporting to HHS (the employer, the employer’s third party administrator or the insurer); and (2) if a third party will be doing the reporting, obtain a copy of the report (preferably in advance to confirm accuracy).

Covered entities and business associates that need to report 2015 HIPAA breaches to the HHS Secretary may begin the process on HHS’ website here

Saul Ewing attorneys are available to assist those who may have questions about their breach reporting obligations.

Saul Ewing attorneys regularly advise and counsel clients on HIPAA compliance, including developing and editing policies and procedures, drafting and reviewing business associate agreements, performing breach assessments and assisting with breach reporting.  For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.

View Document(s):