Breach Notification Rule

The HIPAA Breach Notification Rule requires healthcare providers and certain health plans to notify the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), of breaches of unsecured protected health information (PHI) affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered. That means the reporting deadline this year for such breaches discovered in 2018 is March 1, 2019. Reports may be made through OCR’s website. Unfortunately, it is not possible to save your breach reports before submitting them to OCR, so be prepared to fill out the full report and submit it at the same time.

Reporting Requirements

Covered entities and business associates must provide the required notifications only if the breach involved unsecured protected health information. Unsecured PHI is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.

These smaller breaches should have been reported to each of the affected individuals within 60 days of discovering the breach, unless a security assessment demonstrated there was a “low probability” the PHI was “compromised”. The reports to OCR must include all the actions taken to mitigate and remediate any harmful effects of such breaches, even if the breach only affected a single individual.

Any larger breaches affecting 500 or more individuals should have been reported to OCR at the same time the breach was reported to the affected individuals — that is, without unreasonable delay and in no case later than 60 days from the discovery of the breach.

Administrative Requirements

Remember, all covered entities also are required to comply with certain administrative requirements for preventing and providing notices of breaches. For example, covered entities and their business associates must have written policies and procedures regarding breach prevention, notification, and damage mitigation. Covered entities and their business associates also must provide effective training for employees on these policies and procedures and must develop and apply appropriate sanctions against workforce members who do not comply.


Contact any of our Health Law team of attorneys, along with Steve Burt of Healthcare Compliance Resources, an affiliate of Woods Rogers Consulting, to discuss questions about breach reporting, patient notification, employee training, and overall HIPAA risk management.