By March 1, 2014, health care providers that are HIPAA "covered entities" must report to the Department of Health and Human Service's Office for Civil Rights ("OCR") all breaches of unsecured protected health information discovered in calendar year 2013 that involve fewer than 500 individuals. The report must be submitted electronically on the OCR website.
Under HIPAA, covered entities — including hospitals, physicians, physician practice groups, other health care providers and health plans — must report a breach of unsecured protected health information (PHI) to affected individuals, the Department of Health and Human Service's Office for Civil Rights ("OCR") and, in some cases, the media. For small breaches — those involving fewer than 500 people — covered entities must report the breach (1) to affected individuals, "without unreasonable delay" and in any case within 60 days after discovering the breach, and (2) to OCR, within 60 days after the end of the year in which the breach is discovered. Thus, all small breaches discovered during calendar year 2013 must be reported to OCR by Match 1, 2014 (60 days after December 31, 2013).
A separate form must be completed for each breach discovered during the year being reported. As a reminder, to facilitate this reporting obligation, health care providers are required to keep a log or other documentation of all smaller breaches discovered throughout the year.
Note that this reporting requirement applies to breaches that were discovered in 2013, and not necessarily those that occurred in 2013. A breach is "discovered" if the covered entity knows of the breach or would have known of the breach by exercising reasonable diligence. For example, if a breach occurred in December 2013, but was not discovered until February 2014, the covered entity may, but does not need to, report the breach to OCR in 2014. The last date the covered entity has to report such a breach to OCR would be March 1, 2015. Similarly, if a breach occurred in August 2012, but was not discovered until the following August, the covered entity must report the breach to OCR by March 1, 2014.