Gazelle Consulting

Deadline Approaching: Report all small HIPAA breaches to HHS by Feb 29th

Most HIPAA compliant businesses understand that they must notify HHS of any breach that affects more than 500 patients to the HHS no later than 60 days after the breach occurs, but how do you report small breaches of under 500 individuals? 


HHS has another set of guidelines for these small breaches, which require organizations to submit a list of all breaches affecting fewer than 500 individuals within a jurisdiction no later than 60 days after the end of the calendar year, which is February 29th. Businesses should submit a log containing a notification of each incident to HHS here. Notices for each breach must include the following: 


  • The start and end dates of the breach

  • The discovery dates of the breach

  • Approximate number of individuals affected by the breach

  • Type of breach (Hacking/improper disposal/loss/theft/unauthorized access)

  • Location of breach (Desktop computer/EMR/email/laptop/network server/paper)

  • Type of PHI involved (Clinical/demographic/financial)

  • A brief description of the breach

  • Safeguards in place prior to the breach

  • Notice that you provided to affected individuals

  • Actions taken in response to the breach 

Remember, organizations can submit notifications for small breaches at any time, and as they occur. but if there are any breach incidents that have not been submitted already, now is your last chance to do so before this becomes an additional HIPAA violation for your business. 

You can read more about HHS’s guidelines for breach notification here.