[ Monday, February 22, 2021 ]


 Annual breach reports due this week: If you are a HIPAA covered entity and suffered a "small" (<500 affected people) breach of unsecured PHI during 2020, you need to report the incident to OCR this week if you haven't done so already.

When a covered entity suffers a HIPAA data breach, the patient must be notified without unreasonable delay, and no later than 60 days.  If the breach is big, involving 500 or more people, the covered entity must also notify OCR and major media in the area at the same time; if it's less than 500, only the patient needs to be notified immediately, and there's no requirement to notify the newspapers at all.  OCR still needs to be notified, but the covered entity is required to notify OCR of all of its small breaches at the same time: during January or February of the next calendar year.  The filing is pretty easy, it's mostly fill-in-the-blank and menu-driven choices.  Thus, if you had any small breaches in 2020, you need to report them by the end of this week. 

Jeff [6:15 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template