Reminder: 2018 Small Breach Reports Due March 1, 2019
As we close the books on 2018, covered entities must remember to file all small breach reports with OCR. For small breaches (those impacting less than 500 individuals), covered entities have 60 days following the end of the year in which the breach occurred to report any breach for the prior year. Thus, if a covered entity experienced a breach during 2018, the deadline for reporting the breach to OCR is March 1, 2019. Many of you report to OCR immediately after the incident. That’s fine too. For those of you who wait to file all reports after the close of the year, don’t let the deadline slip by.
The website for reporting is:
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
You only submit a report if you conclude an incident was a breach. Incidents which were reviewed and determined not to result in a breach, either because the incident fit within an exception or the PHI was secured or you determined there was a low probability of compromise, do not have to be reported. Accordingly, your breach reports to OCR should exactly correlate with those incidents for which breach notification letters were sent to patients.
It is very important that you carefully consider the contents of your report. If OCR would decide to open an investigation following the report, which it has been inclined to do, OCR will ask for specific evidence as to implementation of all safeguards in place prior to the breach and all actions taken in response to the breach that were reported in the breach report. But don’t sell your organization short! You will want to include all safeguards you had in place, even if those safeguards would not have prevented the incident. The chances of OCR following up on the report may be reduced if the existing safeguards and corrective action steps taken by the covered entity are appropriately and completely described in the report.