Deadline for 2013 HIPAA Breach Reports Approaching Fast

by | Feb 5, 2014

All covered entities must  submit annual reports of HIPAA breaches to the U.S Department of Health and Human Services and the deadline for filing 2013 breaches is coming quickly.

While there is a requirement under the Breach Notification Rule for healthcare institutions and their business associates to make HHS aware of any breaches involving more than 500 people as quickly as possible, smaller breaches affecting fewer than 500 people only need to be included in an annual report. HIPAA-covered bodies now only have a few weeks to file the reports, which must be received by the HSS no later than March 1st, 2014.

A PHI breach including less than 500 people must be made known to the HHS within 60 days of the end of the calendar year during which the breach was discovered. Therefore any data breaches discovered during 2013 must now be included in the report to the HHS. In many security breaches it is not instantly clear how many individuals have been affected. If a review is still ongoing, the entity in question should provide an approximation of the number of people affected and once the final number is known it can be filed to the OCR as an addendum at a later date.

The introduction of the HIPAA Omnibus Rule, which came into effect on September 23, 2013, changed how covered organizations must review and report data breaches. Before the passing of the new rule, healthcare organizations were obliged to make a subjective assessment based on the potential damage caused by a breach under the “risk of harm standard”. Now the assessment process is more involved, requiring a 4-factor risk assessment to be completed on any potential security breach involving unencrypted PHI.

In the case of a low probability of disclosure of PHI a breach notification is not required  to be issued; however if this cannot be determined with any degree of certainty the incident must be dealt with as full breach. The organization must therefore adhere with breach notification rules and warn those affected to the potential disclosure of their PHI.

What is a 4-Factor HIPAA Breach Risk Assessment?

  1. Assessment of the “nature and extent” of the breach, the data possibly exposed and any personal identifiers present ion the data.
  2. Who had access to the PHI and the person or persons to whom PHI has been disclosed?
  3. Determination of the exact data accessed, acquired or seen as a result of the breach
  4. Whether any possible loss or damage has been prevented.

Following this assessment a HIPAA covered body should decide whether a breach notification should be sent and whether the incident should be made known immediately to the OCR.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy