Reminder: Notice of 2017 small HIPAA breaches due to HHS soon


Doctor consulting chart

The deadline to submit notice to the Department of Health and Human Services (HHS) of small HIPAA breaches (those that affected fewer than 500 individuals) discovered in calendar year 2017 is March 1, 2018.

The applicable HIPAA regulation (45 CFR 164.408(c)) provides:

For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site.

Notice of such breaches should have already been sent to the affected individuals. However, if covered entities waited to notify HHS, they should submit notices soon. Breaches are to be reported using the HHS website.  

Covered entities face additional penalties for failing to report breaches in a timely manner. And, it should be noted that HHS audited for compliance with notice requirements as part of its Phase 2 audits. 

Industries & Practices

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.