Deadline for Reporting 2021 PHI Breaches Affecting Fewer Than 500 People

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule puts a rigid time frame on sending notifications to people whose protected health information (PHI) was breached or impermissibly disclosed. The max time limit is 60 days since the discovery of the data breach, though notification letters ought to be sent “without unreasonable delay.”

Besides giving notification letters to individuals affected by a data breach, the HIPAA Breach Notification Rule likewise demands the Secretary of the Department of Health and Human Services (HHS) be informed regarding a data breach. The time period for sending that notification is dependent on the number of persons impacted by the data breach.

Whenever a data breach is encountered that affects 500 or more people, the Secretary of the HHS should be notified with no unreasonable delay as well and not later than 60 calendar days following discovering a breach. In case all details are not known concerning the breach within 60 days, the HHS should still be informed about the breach, and it may be modified at a later date when more data is received.

In case a data breach has affected under 500 persons, HIPAA-regulated entities are allowed a longer time to report the breaches to the HHS. N.B. the time frame for individual notices remains 60 days from the time of discovery of the breach, irrespective of how many people were impacted.

The deadline for reporting breaches affecting the PHI of less than 500 persons to the HHS is 60 days starting from the end of the calendar year wherein the breach was identified. That means all PHI breaches identified in 2021 that impacted the PHI of fewer than 500 people need to be reported to the Secretary of the HHS on or before 11:59:59 p.m. on March 1, 2022. All breaches should be reported to the HHS separately through the breach reporting application on the HHS webpage.

A lot of HIPAA-regulated entities will not do their breach reporting right up until close to the reporting due date, therefore the breach reporting website will likely see high levels of traffic as the deadline approaches, which can possibly cause availability problems. It is therefore recommended to report any breaches well in advance of the breach reporting due date.

You must keep in mind that a number of states have passed legislation regarding the reporting of data breaches, and the time limit for reporting breaches might be shorter than those of the HIPAA Breach Notification Rule. In a lot of cases, HIPAA-regulated entities are exempt from state breach notification regulations provided they adhere to the reporting standards of HIPAA. If they aren’t compliant with the Breach Notification Rule, state attorneys general can make a decision to investigate, and civil monetary penalties may be issued for violations of HIPAA or state rules.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.