HIPAA Breach Log: 2016 Breach Reports Due March 1, 2017
With the end of 2016, covered entities must remember to file all breach reports with OCR. If a covered entity experienced a breach (as defined in the data breach notification rule) during 2016, the deadline for reporting the breach to OCR is March 1, 2017. Covered entities have 60 days following the end of the year to report any breach for the prior year. The website for reporting can be found here.
You only submit a report if you conclude an incident was a breach. Incidents which were reviewed and determined not to result in a breach, either because the incident fit within an exception or the PHI was secured or you determined there was a low probability of compromise, do not have to be reported. Thus, your breach reports to OCR should correlate with those incidents for which breach notification letters were sent to patients.
It is very important that you carefully consider the contents of your report. As we recently reported, the Office for Civil Rights announced it is more heavily scrutinizing breach reports for determining possible investigations and enforcement efforts. The chances of OCR following up on the report may be reduced if the existing safeguards and corrective action steps taken by the covered entity are appropriately and completely described in the report.