February 29, 2020 is the deadline by which time Covered Entities who experienced a Breach of Unsecured Protected Health Information (PHI) during calendar year 2015 must notify the Secretary of the U.S. Department of Health & Human Services (HHS).
A Breach is defined as an unauthorized “acquisition, access, use, or disclosure” of unsecured PHI that compromises the security or privacy of the PHI. Pursuant to the 2009 HITECH Act and the 2013 Final Omnibus Rule, Covered Entities, on an annual basis, must electronically report Breaches affecting fewer than 500 individuals to HHS electronically within 60 days of the close of the calendar year. Notifications may be made by completing the form found on the HHS website.
The form requires the Covered Entity to respond to several questions about the Breach including providing a short description of what occurred and how the Breach was resolved. The Covered Entity must also certify that all of the information provided in the form is accurate.
Please be advised that not all violations of HIPAA constitute a “Breach” and only violations of HIPAA which rose to the level of a “Breach” need to be reported to HHS. Your Houston Harbaugh, P.C. attorneys are available to assist you in determining whether an incident requires the filing of a report and we can also assist in the notification filing process.