By: Lewis Brisbois' Data Privacy & Cybersecurity Team
Organizations that experienced a data incident in 2019 affecting the protected health information (PHI) of less than 500 individuals have just a few more days to submit their notification to the U.S. Department of Health & Human Services’ Office for Civil Rights (HHS/OCR).
Under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, a covered entity or business associate subject to HIPAA is required to report a breach that affected fewer than 500 people to HHS/OCR no later than 60 days after the end of prior calendar year.
This year, a covered entity or business associate has until March 1, 2020 to submit its 2019 small breach reports to the agency.
Organizations that still need to report an incident to HHS/OCR can do so via the agency’s online portal.
If you have any questions about submitting breach notifications, contact the authors of this post or visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area.
Each of the Firm's offices include partners, associates and a professional staff dedicated to meeting the challenge of providing the firm's clients with extraordinary service.