Covered entities that discovered small-scale HIPAA breaches during calendar year 2017 must file notice of such breaches with the Office of Civil Rights (OCR) by March 1, 2018.
Under HIPAA rules, covered entities do not have to report breaches impacting less than 500 individuals to OCR concurrently with reporting to affected individuals.1 Rather, the covered entity must maintain a log of small-scale breaches during the calendar year and report the breaches to OCR no more than 60 days after the end of that calendar year.2
Covered entities that waited to report small-scale breaches may submit notice through OCR’s website. The reporting requirements to OCR for small-scale HIPAA breaches do not eliminate the duty of the covered entity to notify affected individuals within applicable time frames.3
As noted previously in Health Law Checkup, OCR has increased enforcement efforts regarding small-scale HIPAA breaches in recent years. The increased enforcement environment should remind organizations of the importance of enacting and implementing robust HIPAA compliance programs, as well as appropriate identification, investigation, and reporting of all HIPAA breaches, no matter the size.
Ken Farris is an associate in Thompson Coburn's health care practice.
1 45 CFR 164.408
2 45 CFR 164.408
3 45 CFR 164.404(b)