Latest Alerts
- Colorado Adopts Final Rules to Implement the State’s Privacy Act
(posted: 04/03/2023)The CPA Imposes Requirements On Organizations That Conduct Business In Colorado On March...
- Idaho Extends Unemployment Benefits to Military Spouses and Domestic Violence Victims
(posted: 03/30/2023)The Amendments Provide Some Flexibility To The General Eligibility Criteria On March 21, 2023,...
- Virginia Prohibits Using Social Security Numbers on Employee Badges
(posted: 03/30/2023)Employers Cannot Use Social Security Numbers As Employee Identification Numbers or Include Them...
Reminder: Notification of HIPAA Breaches Affecting Fewer Than 500 Individuals Due to HHS by March 1
posted: Thursday, February 16th
Notifications to HHS Must Be Submitted Online
HIPAA covered entities are reminded that the deadline to notify the U.S. Department of Health and Human Services (HHS) of breaches of unsecured protected health information affecting fewer than 500 individuals in calendar year 2016 is March 1, 2017.
Background
Among other things, the HIPAA Breach Notification Rule requires HIPAA covered entities to report breaches of unsecured protected health information (PHI). A covered entity's breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals:
- If a breach of unsecured PHI affects fewer than 500 individuals, a covered entity must notify HHS no later than 60 days after the end of the calendar year in which the breach is discovered. For calendar year 2016, this generally means that breach notification is due to HHS by March 1, 2017.
- If a breach of unsecured PHI affects 500 or more individuals, a covered entity must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.
How to Submit a Breach Notification to HHS
All breach notifications to HHS must be submitted online. Click here for more information and a link to the submission portal.