Among other things, the HIPAA Breach Notification Rule requires HIPAA covered entities to report all breaches of unsecured PHI to the U.S. Department of Health & Human Services (HHS). A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals.
If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify HHS of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.
If a breach of unsecured PHI affects fewer than 500 individuals, a covered entity must notify HHS of the breach within 60 days of the end of the calendar year in which the breach was discovered. For calendar year 2016, this generally means that breach notification is due to HHS by March 1, 2017.
All breach notifications to HHS must be submitted online. Click here for more information and a link to the submission portal.Share This: