The HIPAA Breach Notification Rule deadline for reporting 2021 data breaches affecting fewer than 500 individuals to the Secretary of the Department of Health and Human Services is just a few weeks away.
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires individual notifications to be sent to affected individuals within 60 days of the discovery of a data breach. Notifications are required to allow individuals to take steps to reduce the risks associated with the exposure or disclosure of their protected health information, which depending on the types of information exposed, could place individuals at risk of identity theft and fraud.
The 60-day notification deadline is the absolute maximum time that is allowed for issuing individual notifications. The Breach Notification Rule states that notifications should be sent “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” Many HIPAA-regulated entities send notification letters very close to the absolute deadline, day 58-60 for example. Leaving notifications that late may mean individuals receive their notification letters in the mail after day 60. Further, delaying notifications when there is no justifiable reason for doing so is a violation of the Breach Notification Rule, even if those notifications are sent within 60 days of the discovery of a breach.
The HIPAA Breach Notification Rule also requires the Secretary of the HHS to be notified about all data breaches, and the maximum time scale for notifying OCR is dependent on the number of individuals affected by a data breach. When 500 or more individuals have been affected, the same time frame applies as for notifications to individuals. The Secretary must be notified without unreasonable delay, and no later than 60 days after the discovery of the data breach.
HIPAA-regulated entities have more time to report data breaches affecting fewer than 500 individuals. While it is a best practice to adopt the same timeframe for reporting those breaches, HIPAA-regulated entities are allowed to report those breaches no later than 60 days from the end of the calendar year when the breach was discovered. The deadline for reporting 2021 data breaches that have affected fewer than 500 individuals is therefore 11:59:59 p.m. on March 1, 2022.
HIPAA-regulated entities that have experienced a data breach in the past and have used the HHS web portal for reporting a data breach are likely to be aware that the reporting process can take some time. The portal requires information to be entered about the breach, and each breach must be reported separately, regardless of how many individuals have been affected. If multiple small data breaches have been experienced, time must be allowed to report each one. Many HIPAA-regulated entities are likely to leave reporting to the last minute, so the portal may experience high traffic, which could cause slowing or even unavailability of the portal.
All HIPAA-regulated entities are therefore advised to report their small data breaches as soon as possible and not leave reporting until March 1, 2022.