Annual Breach Reporting Deadline LoomsSmaller Incidents Must Be Reported Soon
With the approaching end of February comes an important annual deadline: The HITECH Act requires submission of reports about smaller healthcare information breaches to federal authorities within 60 days of the end of the calendar year.
HIPAA covered entities - including hospitals, physician groups, health plans and claims clearinghouses - must report smaller breaches annually to the Department of Health and Human Services' Office for Civil Rights. Smaller breaches are defined as those affecting fewer than 500 individuals. Larger breaches must be reported to OCR within 60 days. And all breaches must be reported to the individuals affected within 60 days.
In an annual breach report submitted to Congress last September, OCR reported that about 62,000 individuals were affected by more than 30,500 smaller breach incidents between September 2009, when an interim final version of the HIPAA breach notification rule took effect, and the end of 2010. About 7.8 million individuals were affected by 252 major breaches during that period.
As of Feb. 9, OCR's running tally of major health information breaches since September 2009 stood at 392 incidents affecting more than 19 million individuals.
An omnibus set of regulations, including a final version of the HIPAA breach notification rule, is long overdue, and federal officials have not revealed when the regulations are likely to be published. Meanwhile, the interim final version of the breach rule remains in effect.