skip to main content
Overview
Toggle Button Open

February 13, 2024

By: Christopher J. Kulik and Stacy Walton Long

Each year, entities regulated under HIPAA must report breaches affecting less than 500 individuals to the Department of Health and Human Services (“HHS”) within sixty days following the end of each calendar year. This means that the deadline to report to HHS these type of breaches occurring in 2023 is February 29th, 2024.

For these breaches, HIPAA requires that covered entities maintain a log or other documentation of breaches of unsecured protected health information.  The covered entity can report all breaches affecting less than 500 individuals on the same date but must submit a separate notice for each breach incident to HHS.  The covered entity may also report breaches affecting less than 500 individuals at the time they are discovered, as opposed to waiting for year-end.  This obligation to report to HHS is in addition to a covered entity’s obligation to notify those individuals affected by a breach, which must be done no later than sixty days after the breach is discovered.

HHS’ Office for Civil Rights maintains an online breach reporting portal which provides instructions on how to submit these reports.  These submissions require detailed information concerning the covered entity involved, as well as each breach, including:

  • The date the breach occurred;
  • The date the breach was discovered; 
  • The approximate number of individuals affected; 
  • The type and location of the breach;
  • The type of protected health information involved; 
  • A brief description of the breach; 
  • Safeguards in place prior to the breach; 
  • Actions taken in response to the breach; and 
  • Information about notices provided. 
     

With this deadline nearing at the end of the month, covered entities should begin reviewing their breach logs and planning to make the submission to ensure compliance.  The start of a new year is also a good time to undertake a review of your HIPAA Privacy and Security Policies and organize your HIPAA compliance program for a successful 2024.  

For questions regarding your compliance efforts, please contact Christopher J. Kulik, Stacy Walton Long, or your regular Krieg DeVault health care attorney. 
 

Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.

February 13, 2024

By: Christopher J. Kulik and Stacy Walton Long

Each year, entities regulated under HIPAA must report breaches affecting less than 500 individuals to the Department of Health and Human Services (“HHS”) within sixty days following the end of each calendar year. This means that the deadline to report to HHS these type of breaches occurring in 2023 is February 29th, 2024.

For these breaches, HIPAA requires that covered entities maintain a log or other documentation of breaches of unsecured protected health information.  The covered entity can report all breaches affecting less than 500 individuals on the same date but must submit a separate notice for each breach incident to HHS.  The covered entity may also report breaches affecting less than 500 individuals at the time they are discovered, as opposed to waiting for year-end.  This obligation to report to HHS is in addition to a covered entity’s obligation to notify those individuals affected by a breach, which must be done no later than sixty days after the breach is discovered.

HHS’ Office for Civil Rights maintains an online breach reporting portal which provides instructions on how to submit these reports.  These submissions require detailed information concerning the covered entity involved, as well as each breach, including:

  • The date the breach occurred;
  • The date the breach was discovered; 
  • The approximate number of individuals affected; 
  • The type and location of the breach;
  • The type of protected health information involved; 
  • A brief description of the breach; 
  • Safeguards in place prior to the breach; 
  • Actions taken in response to the breach; and 
  • Information about notices provided. 
     

With this deadline nearing at the end of the month, covered entities should begin reviewing their breach logs and planning to make the submission to ensure compliance.  The start of a new year is also a good time to undertake a review of your HIPAA Privacy and Security Policies and organize your HIPAA compliance program for a successful 2024.  

For questions regarding your compliance efforts, please contact Christopher J. Kulik, Stacy Walton Long, or your regular Krieg DeVault health care attorney. 
 

Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.