The annual deadline to report a HIPAA breach is Tuesday, March 1, 2022, for HIPAA Covered Entities and Business Associates to file their annual breach reports with the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR).
Recall that a “breach” is a Privacy Rule violation that also compromises the security or privacy of protected health information (PHI). A covered entity or business associate responsible for an impermissible use or disclosure of PHI will need to report a breach to patients and the OCR, unless they can show that there was a low risk that the PHI was compromised. Organizations need a strong breach notification assessment policy and process that will direct how they analyze whether a HIPAA violation has led to a breach. HHS also has a terrific list of example breach situations here that can help organizations avoid numerous pitfalls.
Smaller breaches involving less than 500 individuals need to be documented throughout the course of the year and reported by the annual filing deadline, but breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery. And keep in mind that there is no penalty for filing a breach report, and it is good practice to report throughout the year. Doing so shows HHS and the OCR that your organization has a robust infrastructure in place to address privacy violations and potential and actual breaches, and these sorts of ongoing assessments will help you ensure that similar incidents do not reoccur.
Neglecting to log HIPAA breaches carries serious consequences. HHS sees this as a failure to cooperate and has said that failure to do so will likely constitute “willful neglect,” thereby triggering mandatory penalties if discovered. And remember that if your Business Associate logged the breach and you have designated them as responsible for reporting, that is fine. However, you will want to review the breach report before they file it to make sure it contains correct information. Maintaining and following your business associate agreements and cultivating good communications about privacy incidents and responses is a key to HIPAA compliance between and among covered entities and their business associates. A straightforward commitment to processing your privacy incidents and reporting determined breaches will contribute to the continuing success of your compliance program!