Member Article

To the extent that there is such a thing as a “HIPAA Day,” it’s coming up soon. And, no, it’s not a HIPAA Holiday. Instead, March 1 is the deadline to report all HIPAA breaches of fewer than 500 affected individuals.

HIPAA requires all breaches to be reported to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS). For breaches involving 500 or more individuals, the OCR report must be made at the same time notice is provided to affected individuals. Smaller breaches, however, may be reported at any time, but no later than 60 days after the HIPAA New Year, which is March 1 (or February 29 each Leap Year). And, while HIPAA Day produces feelings of dread or relief in many cases, in all cases, it should be a time for reflection.

Reporting in and of itself is easy; there is a straightforward form on the OCR’s website. A separate report must be filed for each breach incident based on the date of discovery. If an incident was discovered in 2020, such as on New Year’s Eve, but the investigation, response and remediation is continuing, the breach is a 2020 reportable breach. Reports may be updated when additional information is known.

Because an OCR Breach Notice, large or small, often amounts to self-reporting of HIPAA non-compliance, the events that follow after reporting can be anything but easy or straightforward. The reality is that breach reporting makes Covered Entities obvious targets for investigation and, in states that permit civil actions by affected individuals, may lead to litigation. In fact, several HIPAA enforcement actions that resulted in large settlements were triggered by breach reporting, including the most recent settlement, which we discussed here previously.

Furthermore, OCR has made it clear that enforcement is not limited to the large (500+) breaches that are reported. In 2016, OCR announced an enforcement initiative directed toward small breach incidents and former OCR director Roger Severino stated in 2017, "Just because you are small doesn't mean we're not looking and that you are safe if you are violating the law. You won't be." Any breach report suggests that the entity has opportunities for compliance improvement, and HIPAA Day is an appropriate opportunity for all HIPAA-regulated entities to reflect on their HIPAA compliance.

For an entity that has experienced a breach, HIPAA has a built-in “self-reflection” requirement. Following any breach or security incident, a Covered Entity (or Business Associate) is required to assess any HIPAA compliance deficiency or vulnerability which may have contributed to the breach, along with appropriate corrective action to reduce the risk of further breaches.

On the flip side, for any entity that has not experienced a breach in the past year, the absence of any report – even a single misdirected mailing or inadvertent fax or email – should beg the question as to whether the entity’s culture and reporting systems support efforts to identify all potential breaches. Training regarding what to report, when and to whom, as well as reinforcing the prohibition on retaliation for reporting, are essential to building this culture of compliance.

To this end, Covered Entities and Business Associates should remember that OCR does not expect perfection. Instead, OCR expects Covered Entities (and, of course, Business Associates) to implement reasonable efforts to prevent breaches, maintain effective mechanisms to identify and analyze potential breaches, and take appropriate corrective action in response to identified issues of non-compliance or vulnerability. To put this another way, for larger Covered Entities, having nothing to report suggests that you’re not looking and your team isn’t speaking up about various HIPAA hiccups that are an inherent part of operations.

Click here to read more.