March 1, 2014 is an important deadline for reporting breaches of protected health information (PHI) discovered in 2013 and involving fewer than 500 individuals. The HITECH Breach Notification Rule requires HIPAA covered entities (healthcare providers, health plans, healthcare clearinghouses) to notify individuals and the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (and in some cases the media) of breaches of unsecured PHI, and requires business associates to notify covered entities of such breaches.
Covered entities must notify the affected individuals without unreasonable delay, and in no event more than 60 days after the covered entity discovers the breach (or would have known of the breach if exercising reasonable diligence). If the breach involves 500 or more individuals then the breach must be reported to OCR contemporaneously with the notice to the individuals.
Breaches involving fewer than 500 individuals must be reported to OCR within 60 days after the calendar year in which the covered entity discovers the breach. Breaches discovered by a covered entity in calendar year 2013 therefore must be submitted via OCR’s website portal by March 1, 2014. The instructions and on-line form are available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html . A separate form needs to be submitted for each breach that occurred during the calendar year. A copy of the completed form should be printed prior to submission and maintained in the covered entity’s records to document the submission.