Next Tuesday, March 1st, 2022 is the Annual HIPAA Small Breach Reporting deadline.
First off, let’s review: what is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. Passed in 1996, HIPAA is a federal law that sets a national standard to protect medical records and other personal health information. The rule defines “protected health information” as health information that:
1. Identifies an individual and
2. Is maintained or exchanged electronically or in hard copy.
The HIPAA rules and regulations consist of three major components: the HIPAA Privacy rules, Security rules, and Breach Notification Rules. A full description of the HIPAA Privacy Rule can be found here. Essentially, HIPAA works to protect sensitive patient medical information.
What does this mean if your business is subject to HIPAA?
Entities that must follow the HIPAA regulations are called “covered entities.” Covered entities include: Health Plans, including health insurance companies, Health Providers that accept insurance, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
Basically, if you are a HIPAA-covered entity, March 1st (Tuesday) is the deadline for reporting any breaches of unsecured protected health information that may have occurred during 2021 and involved fewer than 500 individuals. Below we’ll review the legal requirements for reporting breaches of this category to the U.S. Department of Health and Human Services (HHS).
What do I need to know for March 1st?
If your business is a HIPAA-covered entity, you are subject to the HIPAA Breach Notification Rule. This rule requires HIPAA-covered entities to notify affected individuals and the Secretary of HHS directly following a breach of unsecured PHI (protected health information.
If you are a Covered Entity or a Business Associate, and you’ve had a breach, you must notify all involved parties as part of the breach notification rule. Breaches continue to occur with growing frequency and to entities of all sizes, making notification and communication vital.
What is the reporting requirement?
In short, there are different reporting requirements for breaches involving fewer than 500 individuals and breaches involving greater than 500 individuals. The March 1st deadline specifically relates to breaches affecting fewer than 500 individuals. These breaches must be reported to the HHS Secretary within 60 days. In addition, HIPAA requires a covered entity to maintain documentation or a log of said breaches.
You can learn more about the requirements for the March 1st deadline at the HHS portal here.
PK Tech holds Compliancy Group’s HIPAA Seal of Compliance as part of our mission to promote HIPAA compliance education resources and support to our clients. More on HIPAA compliance and HIPAA-related IT services we provide at PK Tech can be found here. You can also download our free HIPAA ebook here. If PK Tech can help with the IT services needs of your business, contact us here.