2014 HIPAA Breach Reporting Deadline Approaches

by | Feb 7, 2015

The deadline for making security breaches, affecting less than 500 people, from 2014 known is coming in the next three weeks.

Any healthcare supplier or other covered entity that has not filed all 2014 breach reports must ensure they have all beensubmitted – and are updated – via the HHS website portal by the March 2, 2015 deadline.

All organizations made provision for in the Health Insurance Portability and Accountability Act must report breaches affecting more than 500 individuals within 60 days of the identification of the breach according to HIPAA Breach Notification Rules. The Office for Civil Rights must be alerted, while all individuals affected by the breach also need to be advised to allow them to take the necessary steps to mitigate any damage caused.

Covered entities are also obliged to report breaches affecting fewer than 500 people to the Department of Health and Human Services, although the breach reports only need to be filed once per year. A failure to file a breach report – or submitting inaccurate breach reports – is a violation of the HIPAA Breach Notification Rule, and could see the OCR issue a penalty for non-compliance or may trigger a full HIPAA compliance audit.

Recent alterations to the HHS breach reporting portal included a change to the format – a new wizard has been established – and changes to the information which must be supplied to the OCR about data breaches. More detailed information must be submitted covering the steps that have been taken in response to breaches. The change of system so close to the reporting deadline may place some healthcare providers under stress if they do not have all the required information in their breach logs.

Now is the perfect time to put policies in place covering future breach reports and to implement the recent changes to the breach reporting portal into procedures. The HHS does not state when small breach reports should be made – other than giving an annual deadline – but a good best practice to follow is to file breach reports as soon as the preliminary investigations have been finished.

Further information can be later added as addenda – such as the actions taken to address security weaknesses identified by the breach. A final check of filed breach reports can then take place as the deadline looms. This ensures all information needed by the OCR is obtained and provided at a time when it is easiest to gather.

The amendments to the web portal should serve as a timely reminder to HIPAA-covered organizations that the OCR is reviewing closely all data breaches, not just those affecting thousands of people. The additional information required for small breach reports suggests they are now being examined and that the OCR is looking closely at risk management policies that have been implemented in response to breaches to address all security weaknesses that they uncover.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy