Don’t Forget! Breach Reports Due March 1, 2018
As organizations continue to close the books for calendar year 2017, remember that covered entities must file all HIPAA breach reports with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). If a covered entity experienced a breach (as defined in the data breach notification rule) during CY 2017, the deadline for reporting the breach to OCR is March 1, 2018. Many covered entities report the breaches to OCR as they occur throughout the calendar year. However, for those covered entities that have not yet reported CY 2017 breaches, OCR allows 60 days following the end of the year to report the breach. The website for reporting can be found here.
You only submit a report if you conclude an incident was a breach. Incidents which were reviewed and determined not to result in a breach (for example, because the PHI was secured; the incident fit within an exception; or you determined there was a low probability of compromise), do not have to be reported. Thus, your breach reports to OCR should correlate with those incidents for which breach notification letters were sent to affected individuals.
It is very important that you carefully consider the contents of your OCR report. OCR is more heavily scrutinizing “small” breach reports (those with fewer than 500 affected individuals) for determining possible investigations and enforcement efforts. The chances of OCR following up on the report may be reduced if the existing safeguards and corrective action steps taken by the covered entity are appropriately and completely described in the report.