Did your organization discover a HIPAA breach in 2018 that affected fewer than 500 people? If so, you have until March 1 to report the breach to the Office for Civil Rights (“OCR”).
The HIPAA Breach Notification Rule requires covered entities to notify OCR of breaches of unsecured protected health information affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered. This year, the deadline for such breaches discovered in 2018 is March 1, 2019.
Breaches can be reported online here. It’s not possible to save reports before submitting them, so be prepared to fill out the full report and submit at the same time. You can see a sample of the report and the questions you’ll be asked here. Note that if your organization discovered more than one breach in 2018 that affected less than 500 individuals, you must complete a separate report for each breach incident.
Jennifer Pike is a member of Thompson Coburn’s Health Care practice group.