Reminder: Notification of HIPAA Breaches Affecting Fewer Than 500 Individuals Due to HHS by March 1

Notifications to HHS Must Be Submitted Online

HIPAA covered entities are reminded that the deadline to notify the U.S. Department of Health and Human Services (HHS) of breaches of unsecured protected health information affecting fewer than 500 individuals in calendar year 2016 is March 1, 2017.

Background
Among other things, the HIPAA Breach Notification Rule requires HIPAA covered entities to report breaches of unsecured protected health information (PHI). A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals:

• If a breach of unsecured PHI affects fewer than 500 individuals, a covered entity must notify HHS no later than 60 days after the end of the calendar year in which the breach is discovered. For calendar year 2016, this generally means that breach notification is due to HHS by March 1, 2017.
• If a breach of unsecured PHI affects 500 or more individuals, a covered entity must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.

How to Submit a Breach Notification to HHS
All breach notifications to HHS must be submitted online. Click here for more information and a link to the submission portal.