skip to main content

February 23, 2017

By: Stephanie T. Eckerle and Stacy Walton Long

Did your company have a HIPAA breach affecting less than 500 individuals in calendar year 2016 that has not yet been reported to HHS?  If so, the deadline for submission of any breach notifications to HHS is March 1, 2017.  

HIPAA requires that covered entities maintain a log or other documentation of breaches of unsecured protected health information involving less than 500 individuals.  The covered entity must report those breaches to HHS not later than sixty calendar days after the end of each calendar year, which is March 1, 2017 this year.  45 CFR 164.408.  The covered entity can report all breaches affecting less than 500 individuals on the same date, but must submit a separate notice for each breach incident to HHS.  The covered entity may also report the breaches affecting less than 500 individuals at the time they are discovered, as opposed to waiting until the following calendar year.   Such reporting obligation to HHS are in addition to a covered entity’s obligation to report the breach to the affected individuals, which  must be done no later than sixty days after the breach is discovered by the covered entity.  45 CFR 164.404.

With the March 1, 2017 deadline looming, it is a reminder to covered entities that planning and preparation is key to a successful HIPAA compliance program.  The starting point for this is often a HIPAA Security Risk Assessment, ensuring that the covered entity has thorough HIPAA Privacy and Security Policies and ensuring that the covered entity has all necessary HIPAA forms in place.  Furthermore and relative to the March 1, 2017 deadline, covered entities should have in place a plan on how to immediately investigate and analyze a suspected HIPAA breach of unsecured protected health information.   This plan or decision tree should include, for example, detailed steps to evaluate whether there was a “Breach” as defined in HIPAA, whether the PHI or ePHI at issue was unsecured, whether the breach fell into one of the exceptions found at 45 CFR 164.402(1) as well as a number of other steps.  In addition, if after this analysis it is determined a breach did occur, proactive and immediate action needs to be taken on a number of fronts.

Krieg DeVault stands ready to assist in helping your covered entity comply with all aspects of HIPAA, such as the following:

  • HIPAA Risk Assessments
  • HIPAA Privacy and Security Policies
  • HIPAA Forms
  • Breach investigations
  • Breach notifications to HHS, individuals and the media
  • OCR HIPAA Audits
  • OCR Enforcement Actions

For assistance with HIPAA issues please contact your regular Krieg DeVault healthcare attorney or Stephanie T. Eckerle or Stacy Walton Long.