The HIPAA Breach Notification Rule (45 C.F.R. § 164.408) necessitates healthcare companies to report data breaches involving 500 and up medical records to the Secretary of the Department of Health and Human Services (HHS) not beyond the 60 days after uncovering a breach. Breaches of under 500 medical records may be reported to the DHS at any date provided that it is not after 60 days from the close of the calendar year wherein the data breach happened.
This means healthcare data breaches affecting less than 500 records ought to be reported to the HHS on or before March 1 every year. However, since 2020 is a leap year, February has one extra day. Therefore, the due date for reporting breaches that affected less than 500 persons is one day earlier – on or before February 29, 2020.
All breach reports ought to be sent to the Secretary of the HHS through the Office for Civil Rights. Every data breach ought to be reported on their own including the complete details regarding each breach. In case there are a couple of small data breaches encountered in the 2020 calendar year, sending breach reports might take longer. It is hence a good idea not to delay until the last minute to submit the data breach reports to be sure not to forget the due date. In case data breach reports are sent in after the 60-day deadline, there are going to be monetary penalties.
In cases where the number of people impacted by a data breach is not yet known, an approximate number of individuals impacted by the breach must be given. It isn’t allowable to defer breach reporting. Once the exact number of impacted people is identified, there should be a report of an addendum. Addenda ought to also be employed to update breach reports when there are more details concerning the breach.