The HIPAA Breach Notification Rule requires covered entities, business associates, vendors of personal health records, and other third-party service providers handling protected health information to notify individuals and entities (depending on magnitude) of a breach of unsecured protected health information.  45 C.F.R. §§ 164.400 – 164.414. Any impermissible use or disclosure under the HIPAA Privacy Rule that compromises PHI is presumed to be a breach unless there is a low probability that the protected health information has been compromised.   

If fewer than 500 individuals are affected by a HIPAA breach, the Breach Notification Rule allows the covered entity to notify the Department of Health and Human Services annually, but “not later than 60 days after the end of each calendar year.”  45 C.F.R. §164.408. While that typically results in a March 1 deadline, because 2020 is a leap year, this year’s reporting deadline is February 29.  For this reason, covered entities required to comply with HIPAA Breach Notification Rule should ensure reminders are updated and notifications (if applicable) are made in consideration of the leap year deadline.

The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation.  If you need assistance with such a matter, please contact us today.