Photo: Unsplash

HIPAA Breach Notifications Due March 1st

Health care providers must file all 2016 incidents

March 1st, 2017 is the deadline for health care providers to submit notifications of small breaches of unsecured protected health information. Breaches made during 2016 must be reported to the US Department of Health and Humans Services (HHS). The Civil Rights Office (OCR) within HHS must be made aware of any breach affecting 500 or fewer individuals that violate HIPAA’s Privacy Rule.

HIPAA is the Health Insurance Portability and Accountability Act, a protection for individuals to retain their medical and health information privacy against covered entities. The US law is upheld by the HHS.

Who is a Covered Entity Under HIPAA?

Health care providers are covered entities under HIPAA. If you own or work for a health practice or within the healthcare industry, you most likely need to adhere to HIPAA’s rules and regulations. Covered entities include Doctors, Physician Assistants, Nurse-midwifes, Dentists, Podiatrists, Chiropractors, Clinical Psychologists, Psychiatrists, Nurse Practitioners, Optometrists, Clinical Social Workers, Health Care Clinics, Health Insurance Companies, Health Care Clearinghouses, Christian Science Practitioners, Medical Billing Services, Hospitals, and Medical Facilities.

What is a Breach?

HHS describes a breach as the disclosure of any private health information that is protected by the Privacy Rule. The disclosure can be made by the provider, employees of a provider, or a business associate. What counts as a disclosure? It can be as straightforward as medical files that went missing while in shipment to your new office space or your business service was hacked.

Breaches also include incidents that are not so obvious or malicious. Health care providers are now under constant pressure to move their business and services online to be competitive in their industry. Moving online to offer electronic prescriptions, remote medicine, and web appointment is necessary to keep up, but it also opens providers up to liability and the need to keep their patient’s information safe.

Even a simple contact form on a provider website should be secure so it can protect electronic protected health information (ePHI). The form might ask solely ask for contact information, but people are not at their best or in a good frame of mind when they are seeking help.

How aware are you when you are in blistering pain? Providers need to be ready for the time when an individual is not at their best. Do you think your patients even know how easy it is to transmit ePHI that is not in HIPAA compliance? Either way, the burden of proof is on the provider.

To learn more about what constitutes a breach, go to HHS’ website.

Who Needs to Be Notified of a Small Breach?

Who needs to be notified when your practice or office has potentially shared private health information or ePHI?

  1. The affected individuals
  2. The HHS Secretary

If you are a business associate of a covered entity, you must notify them if they or their patients have been affected.

Notice to the Affected Individuals

Affected individuals of a breach must be notified by first-class mail. If they have previously agreed to electronic communication, they can also be reached by email. If current contact information is not available, refer to HHS website to follow protocol to show your best intention to reach all affected individuals.

Notice to individuals must be made within 60 days of the breach’s discovery. The notice should include:

  1. Breach description
  2. Description of personal information included in the breach
  3. Steps the individual should take to protect themselves
  4. Covered entity’s breach investigation description
  5. Contact information for who to directly contact at the contact entity

Notice to the Secretary for Small Breaches

To file a breach report, use a secure network to file with the Secretary of HHS with the Office of Civil Rights’ (OCR) portal. Each singular breach must be individually reported to the Secretary. Notifications reports should be filed on a rolling basis as breaches occur.

Submit a Notice of a Breach Affecting Fewer than 500 Individuals

Notice to the Secretary for Large Breaches

If your breach affects 500 individuals or more, the March 1st deadline does not apply. Your practice or office must report the incident immediately to the Secretary and not take more than 60 days to file.

In addition to notifying affected individuals and the Secretary, large breaches must also be reported to media outlets representing the affected region. A press release should be provided to media outlets immediately after the breach discovery. At the latest, the announcement must be made within 60 days.

Submit a Notice of a Breach Affecting 500 or More Individuals

Notification by a Business Associate

If a business associate of health care providers experiences a breach of protected health information, they need to notify the health care provider within 60 days. The notification should also include the affected individuals’ information and identification so they provider can notify each one.

Tips for the Notification Process

Contact your legal representative to review your report before you file. Once filed, keep a record of each step of the process. Your files should include the original report, submitted support materials, and the confirmation of your submission. All updates from HHS, OCR, and related entities should be kept and filed as well. Maintaining your full record will be vital if the breach leads to an investigation of your practice or office. (I am not a lawyer, so please consult yours for specific and applicable law advice.)

Review and Risk Assessment by HHS

Each breach enters a review and a risk assessment to see how much potential harm has been caused to the affected individuals. The risk assessment takes into account the following four factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.

Burden of Proof is on the Provider

When HHS reviews how your practice or office shared protected information, the burden of proof will be on you to show every possible step was taken to protect your patients’ privacy.

The proof needed includes documentation that details:

  1. Supporting documents for the risk assessment show it is unlikely protected health information was shared in accordance to what the affected individual previously agreed to
  2. Agreements made by the affected individual in regards to their privacy and information
  3. The provider’s written policies for breach notification to affected individuals and HHS; including training for employees and business associates, procedures for when an employee breaks policy, and protocols for when there is a suspected breach
  4. Exceptions to what constitutes a breach

Is Your Website HIPAA Compliant?


Securing your website is the easy first step to keeping your patients’ information safe. Take the time now and prevent the headache of filing a breach with the government. Find out if your website is HIPAA compliant by receiving a free assessment. -> Click here to get started.


If this was article was helpful, press the ❤️ below to help others read it too.

About Prosper

We help small businesses turn their stories into customers.

Master Your Why: Complimentary 5 Day Email Course

You started your business for a purpose. When you understand what motivates you, then you will be able to resolve issues and questions about your business.

Master Your Why to start turning your story into customers.

When you MASTER your purpose — YOUR WHY — solving problems and answering questions will become easier. Your reason for starting your business matters and affects all aspects of your business. Without UNDERSTANDING your why — you will never find the success or freedom you sought at the beginning.