United States: HIPAA Notice of Health Information Breaches Must be Submitted by February 29, 2012

Healthcare providers and other HIPAA covered entities have until Wednesday, February 29, 2012 to submit notice of breaches of unsecured Protected Health Information which affected fewer than 500 individuals during 2011. Notice must be submitted electronically to the Secretary of Health & Human Services, and separate forms are required for each data breach occurring in the course of the calendar year.

This action is mandated by the Interim Final Rule for Breach Notification for Unsecured Protected Health Information which became effective on September 23, 2009. A breach is defined under federal law as the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner that violates the HIPAA Privacy rule and compromises the privacy or security of the PHI. Determining whether a breach has occurred, however, requires the analysis of a number of additional factors. Under the Interim Final Rule, breaches affecting fewer than 500 individuals must be reported to the Secretary within 60 days of calendar year end.

Covered entities must document data breaches affecting fewer than 500 individuals in their breach logs when the breaches occur throughout the year, but they are not required to publicly report these breaches until 60 days after the end of the calendar year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.