Home > Legal Library > Article

Join Matindale-Hubbell Connected

HIPAA Covered Entities Face March 1 Deadline for Breach Reports

James J. Giszczak
McDonald Hopkins LLC - Bloomfield Hills Office

Rick L. Hindmand
McDonald Hopkins LLC - Chicago Office

Dominic A. Paluzzi
McDonald Hopkins LLC - Bloomfield Hills Office

Rachel H. Yaffe
McDonald Hopkins LLC - Chicago Office

March 12, 2014

Previously published on February 27, 2014

HIPAA covered entities (healthcare providers, health plans or healthcare clearinghouses) that discovered a breach of Protected Health Information (PHI) in 2013 involving fewer than 500 individuals are required to report those breaches by March 1, 2014.

The HITECH Breach Notification Rule requires covered entities to notify the affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) (and in some cases, the media) of breaches of unsecured PHI, and requires business associates (generally, contractors or vendors who perform services or functions for covered entities and have access to PHI) to notify covered entities of breaches of unsecured PHI. In 2013, the Office for Civil Rights (OCR) of HHS revised the standard for determining whether a breach occurred. Any use or disclosure of unsecured PHI that is not permitted under the HIPAA Privacy Rule is now presumed to be a breach (and therefore triggers the notification obligations) unless either the incident satisfies one of three relatively narrow exceptions, or the covered entity or business associate demonstrates a low probability that PHI has been compromised, based on a risk assessment of at least four factors as set forth in the Breach Notification Rule. The prior definition of “breach” (which was in effect prior to Sept. 23, 2013) focused on a “risk of harm” analysis.

Healthcare data breaches have afflicted a broad range of covered entities and business associates, including a virtual “who’s who” of healthcare providers, health plans and business associates, as well as many who are not used to being in the headlines. Since reporting began in 2009, more than 700 breaches involving 500 or more individuals have been reported to OCR and are listed on the OCR website. In addition, OCR has received more than 64,000 reports of breaches involving fewer than 500 individuals, not including breach reports submitted in recent months.

Covered entities must notify the affected individuals without unreasonable delay, and in no event more than 60 days after the covered entity discovers the breach (or would have known of the breach if exercising reasonable diligence). The deadline for reporting breaches to OCR depends on whether the breach involves 500 or more individuals. Breaches involving fewer than 500 individuals must be reported to OCR no later than 60 days after the calendar year in which the covered entity discovers the breach. Breaches involving more than 500 individuals must be reported to OCR contemporaneously with the notice to the individuals.

Breaches discovered by a covered entity in calendar year 2013 and involving fewer than 500 individuals must be submitted via OCR’s website portal by March 1, 2014. A separate form must be submitted for each breach that occurred during the 2013 calendar year. A copy of the completed form should be printed prior to submission and maintained in the covered entity’s records to document the notification.

Although the form is available online, it’s critical that covered entities are counseled appropriately through the reporting process to ensure the notification is accurate and consistent with prior messaging regarding the breach. Before completing the online form, it’s recommended that organizations consult with attorneys who have experience in data breach investigations to avoid any missteps that could come back to harm the organization during an OCR investigation.


The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

View More Library Documents By...

Practice Area
Health Care
McDonald Hopkins LLC Overview