March 1, 2014 Deadline for Reporting HIPAA Breaches

HIPAA Covered Entities that encountered a breach incident during the year 2013 affecting the unsecured protected health information (“PHI”) of less than 500 individuals have an impending reporting requirement.

Pursuant to HIPAA's breach notification requirements (45 C.F.R. 164.408), all Covered Entities are required to complete an online notification form to report these breach incidents to Health and Human Services' Office of Civil Rights ("OCR") by March 1, 2014. If more than one breach incident involving less than 500 individuals occurred in 2013, a separate form must be completed for each breach incident. The form will request certain information regarding the breach incident, including the following:
  • A brief description of what happened, including dates of breach and discovery
  • Approximate number of individuals affected by the breach
  • Description of the types of PHI involved in the breach
  • Location of the breach information (laptop, computer, email, etc.)
  • Brief description of the steps taken in response to the breach
  • Safeguards in place prior to the breach
  • Contact procedures, including, name and contact information for covered entity, and if the breach involves a business associate, the name and contact information for the business associate
In 2013, the definition of “breach” was revised to mean “the acquisition, access, use or disclosure of protected health information in a manner not permitted under subpart E [of the HIPAA Regulation] which compromises the security or privacy of the protected health information.”  Such acquisition, access, use or disclosure is presumed to be a breach unless the Covered Entity or business associate demonstrates that there is low probability that the PHI has been compromised based on a risk assessment into the nature and extent of PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.  The new definition then excludes certain  unintentional acquisitions, access, or use of PHI, inadvertent disclosures, and good faith disclosures.

The online notification form that is to be completed by the Covered Entity is available on the OCR website by clicking here.

For more information on HIPAA breaches and reporting such please contact Meghan McNab at or Susan Ziel at