No later than 60 days after the end of the calendar year, covered entities must report information to HHS regarding the prior year’s HIPAA breaches involving less than 500 individuals.
HIPAA covered entities are required by law to notify the Secretary of HHS if they discover a breach of unsecured protected health information or “PHI” involving less than 500 individuals. A covered entity must notify HHS of the prior year’s breaches no later than 60 days after the end of the calendar year (or by March 1, 2017).
Covered entities must submit this notice electronically through the link provided below and by completing all of the fields required on the breach notification form.
Covered entities are not required to make this notification at the end of the calendar year, but instead may choose to report breaches at the time they are discovered, so long as the notification is made prior to the annual deadline.
If a covered entity experiences a breach affecting more than 500 individuals, however, a different procedure is required, which includes notifying HHS of the breach “without unreasonable delay” and “in no case later than 60 calendar days from the discovery of the breach.”
Attention to these requirements is vital as failure to abide by HIPAA can cause an entity to incur steep penalties. Penalties range from $100 to $50,000 per violation, with a $1.5 million cap per calendar year, and criminal penalties of up to 10 years’ imprisonment.
To assist our clients in implementing the operational changes necessary to comply with HIPAA requirements, ROLF has published HIPAA manuals for nursing facilities, assisted living facilities, DD providers, home health agencies, and hospice providers. ROLF’s manuals are drafted specifically for the applicable provider type, focusing on providing both a clear explanation of the legal requirements, as well as various tools, templates, and sample policies to guide your entity’s compliance.
If you need additional information about this breach notification topic, would like assistance in updating your policies, or would like to purchase a HIPAA manual, please contact Jacqueline Anderson (Anderson@RolfLaw.com) at (866) 495-5608.
Please note that this alert is intended to be informational only, and is not intended to be nor should it be relied upon as legal advice. Rolf Goffman Martin Lang LLP will not be responsible for any actions taken or arrangements structured based upon this alert. The receipt of this alert by an organization that is not a current client of Rolf Goffman Martin Lang LLP does not create an attorney-client relationship between the recipient and the law firm.
©2017. Rolf Goffman Martin Lang LLP. All Rights Reserved.