Another Compliance Date - HIPAA Breach Notifications Due Today!

HIPAA breaches continue to pose significant challenges for employer group health plans, mandating strict adherence to reporting requirements outlined by the Office of Civil Rights (OCR) within the Department of Health and Human Services. It is imperative for HR professionals overseeing these plans to understand their obligations in reporting breaches of unsecured protected health information.

Reporting Obligations:

Employer group health plans, classified as “covered entities” under HIPAA, must report breaches of unsecured protected health information to the OCR. Today (February 29, 2024) is the deadline for reporting small breaches affecting 500 or fewer individuals occurring in 2022. While the responsibility lies with the employer to ensure timely reporting and the submission is made through the OCR web portal.

Notification Requirements:

In addition to reporting to the OCR, affected individuals must be notified of a HIPAA breach within 60 days of its discovery by the plan. Larger breaches impacting more than 500 individuals have additional requirements. In such cases, notification to HHS must occur within 60 days. If the breach affects more than 500 individuals within a single state, the plan is required to notify prominent media outlets serving that state within the 60-day period, in addition to notifying affected individuals and HHS.

Conclusion:

In navigating the complex landscape of HIPAA compliance, HR professionals must remain vigilant in adhering to reporting and notification requirements outlined by the OCR. Ensuring timely and accurate reporting of breaches is essential not only for regulatory compliance but also for maintaining trust and transparency with plan participants.