Small Breach Reporting Deadline Today (March 1)

A reminder for sponsors of group health plans subject to HIPAA that reporting of small breaches (i.e., those affecting fewer than 500 individuals) are due to HHS  today (March 1, 2017).

Under HIPAA, covered entities are required report breaches affecting fewer than 500 individuals annually to HHS, no later than sixty (60) days after the end of the calendar year in which the breach is discovered. Therefore, for small breaches discovered during 2016 (regardless of when the breach actually occurred), reporting is due to HHS no later than today.

Since reporting to individuals is due within 60 days of discovery of a breach, covered entities should have accessible records of any breaches that require reporting to HHS. And note that, in accordance with HIPAA document retention standards, records of any breaches should be logged and maintained by the covered entity for at least six (6) years.

Instructions for reporting small breaches may be found here: here: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true