March 1, 2017 Deadline Approaches for Reporting Smaller Breaches of Unsecured PHI

February 10, 2017

HIPAA “Covered Entities” potentially have multiple notification obligations following breaches of unsecured protected health information (“PHI”). These obligations are shaped by the number of persons affected by the breach and could involve notices to the affected individuals, to the media, and to the government. In regard to notifying the government of those breaches of unsecured PHI affecting fewer than 500 individuals, HIPAA requires Covered Entities to notify the U.S. Department of Health and Human Services Office for Civil Rights (the “OCR”) no later than 60 days after the end of the calendar year in which those smaller breaches were discovered.

Notifications must be made to the OCR no later than March 1, 2017 for breaches discovered in calendar-year 2016 that affected fewer than 500 individuals. If a Covered Entity has delegated any or all of its reporting obligations to a Business Associate, then the Business Associate may need to comply with this March 1 deadline.

It is important to confirm any reporting obligations you may have and that you are prepared to meet this notification deadline. More information on breach notification and how to report is available here:

Should you have questions about this Alert, feel free to contact Karl Strauss at (419) 252-6250 or, or others at Spengler Nathanson.