Covered entities that experienced a “small” breach of unsecured protected health information in 2011 have until Feb. 29 to submit their notifications to the Secretary of the U.S. Department of Health & Human Services (HHS) through the HHS website. Failure to do so could put your organization in violation of the federal breach notification law.

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act’s breach notification interim final rule, covered entities must report breaches affecting fewer than 500 individuals (referred to as “small breaches”) to HHS electronically on an annual basis. These reports are due within 60 days after the end of the year in which those breaches occurred. With February coming to a close (and with this being a leap year), covered entities that had small breaches in 2011 should be preparing the electronic form for submitting notice to HHS, if they haven’t done so already. Notifications should be made on the HHS website. Each small breach must be reported separately, so be sure to allocate enough time to properly submit notices for each such breach. 

HHS reports that it has received tens of thousands of notifications relating to small breaches in recent years. Of some small comfort, HHS will not be publishing a list of the entities involved in these smaller breaches, unlike the larger breaches affecting 500 or more individuals. All breach reports are forwarded to regional HHS offices, and HHS has indicated that these offices have discretion regarding whether to open an investigation of small breaches.

As with any submission to the government, covered entities should review carefully the items covered in the notice to ensure that they respond accurately and completely. Notably, Section 5 of the notice includes an attestation for the submitting party to certify the accuracy of all statements made in the notice. Covered entities also may want to consult with your legal counsel in developing any such notifications.