Reporting a HIPAA Breach – Details You’ll Want to Know

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The Health Insurance Portability and Accountability Act, or as it is commonly known as HIPAA, was created to set standards nationally. These are in place to protect the personal health information and medical records of individuals as well as give them access easily. As the March 1st deadline for reporting a breach draws closer, knowing if you need to report, what you need to report, and how to do it properly, are all important.

How Do I Know If I Have to Report an Incident?

If you have a breach that has affected 500 or more individuals, you need to report it within 60 days of the discovery of the incident. Breaches that affect less than 500 patients must be reported within 60 days of the end of the year that the breach occurred. So, if you had a breach in February of 2021, and that affected the data of 350 individuals, you have until March 1, 2022, to report it to the Department of Health and Human Services (HHS). One caveat to note, regardless of the size of the breach, all affected individuals must be notified within 60 days of the discovery of the breach. That notification can come in the form of a breach notification letter which outlines the details and how they can monitor their information.

What Do I Need to Know for the HIPAA Breach Notification Form?

The Office for Civil Rights (OCR) will ask you a series of questions when you report the breach. They will include some of the following questions:

  • Is this an initial report, or addendum
  • You will be asked if you are a covered entity or a business associate
  • Date of the breach – both the start/end of the breach and the start/end of the discovery
  • How many individuals were affected by the breach?
  • What type of breach occurred – theft, hacking, unauthorized access, etc.
  • The location of the breach – was it via email, on a laptop, or desktop?
  • What information was compromised

The healthcare industry is a known target for cybercrime. And the risk of a breach continues to rise daily for all businesses.

This article was originally published on HIPAA Secure Now! and is republished here with permission.