The deadline for reporting healthcare data breaches of fewer than 500 records is fast approaching.  These small data breaches usually need to be reported by March 1; however, since 2024 is a leap year, this year’s deadline is February 29.

The HIPAA Breach Notification Rule requires HIPAA-regulated entities to issue notifications to all individuals whose protected health information has been exposed or impermissibly disclosed without unnecessary delay, and no later than 60 days from the discovery of a data breach. HIPAA-regulated entities are also required to report data breaches to the Secretary of the HHS via the Office for Civil Rights (OCR) breach reporting portal.

The HIPAA Breach Notification Rule requires large data breaches – those that affect 500 or more individuals – to be reported to OCR no later than 60 days from the date of the discovery of the data breach, but there is more flexibility for reporting data breaches affecting fewer than 500 individuals. HIPAA-regulated entities must also report these breaches via the OCR breach reporting portal, but they have 60 calendar days from the end of the year when the breach was discovered to report the data breaches.

If a HIPAA-regulated entity chooses to take advantage of this Breach Notification Rule flexibility, the extended time frame ONLY applies to breach reporting to OCR. The individuals who had their PHI exposed or impermissibly disclosed must still be notified about the breach within 60 days of when the breach was discovered.

All data breaches must be reported individually through the OCR breach reporting portal. The breach reports must include details of the breaches and the efforts made to remediate those incidents. If a HIPAA-regulated entity has experienced multiple small data breaches, reporting these breaches may take some time. It is therefore best not to wait until the last minute to report these small data breaches.

The post February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches appeared first on HIPAA Journal.