One of the key provisions of the Health Insurance Portability and Accountability Act (HIPAA) is the Breach Notification Rule, which requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and, in some cases, the media of any breach of unsecured protected health information (PHI). The Breach Notification Rule specifies different deadlines for reporting breaches depending on the number of individuals affected by the breach:

• Breaches affecting 500 or more individuals must be reported to:
  • Affected individuals: Without unreasonable delay and in no case later than 60 days following the discovery of the breach
  • OCR: Without unreasonable delay and in no case later than 60 days following the discovery of the breach
  • Media: If the breach affects more than 500 residents of a State or jurisdiction, media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of the breach

• Breaches affecting fewer than 500 individuals (“small breaches”) must be reported to:
  • Affected individuals: Without unreasonable delay and in no case later than 60 days following the discovery of the breach
  • OCR: No later than 60 days after the end of the calendar year in which the breach is discovered

Information on Small Breaches

For calendar year 2022 (the most recent year for which data is available), OCR received 63,966 reports of small breaches affecting 257,105 individuals.[1]  The majority of the PHI affected by small breaches was located on paper (62%), with electronic medical records being the second most common location (17%).  In response to these small breaches, covered entities reported fixing glitches in software, revising policies and procedures, training or retraining employees and sanctioning employees.

Submitting Your Health Center’s Small Breach Reports for 2023

If your health center has yet to submit its small breach reports for 2023, here’s what you need to know:

• The deadline for reporting small breaches to OCR is February 29, 2024.
• All breach reports, including small breach reports, must be submitted using OCR’s online breach portal (available here).
• Ensure you have all the information necessary for each report, including:
  • Date the breach started and ended
  • Date the breach was discovered
  • Date individual notice started and ended, including whether substitute notice was required
  • Number of individuals affected
  • Type of breach: hacking/IT incident, improper disposal, loss, theft, unauthorized access/disclosure
  • Location of breach: Desktop computer, electronic medical record, email, laptop, network server, other portable electronic device, paper files, other
  • Type of PHI involved: Clinical, demographic, financial
  • Brief description of the breach
  • Safeguards in place prior to the breach
  • Actions taken in response to the breach
• Retain a copy of each breach report for your records.

If you have questions about the HIPAA breach reporting requirements, please contact Dianne Pledgie. In January 2024, Dianne hosted an FQHC Frequently Asked Questions (FAQ) session on “HIPAA Breaches Affecting Fewer than 500 Individuals”. The recording of this session is now available exclusively to Premium Plan subscribers. If you are interested in becoming a Premium Plan subscriber, please contact Feldesman Training Solutions.

[1] U.S. Department of Health and Human Services, Office for Civil Rights, “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2022” (February 2024), available at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.