2022 HIPAA Breach Notification Deadline is March 1

February 16, 2022
Practices who had a breach of protected health information (PHI) in 2021 that affected less than 500 individuals will need to take action before March 1.
Dark blue background; Data Breach within circile

Healthcare practices are often targets of data breaches because of the valuable patient information they have on file.  Offices who had a breach of protected health information (PHI) in 2021 that affected less than 500 individuals will need to take action.  If your practice was among those affected, the HIPAA Breach Notification Deadline of March 1, 2022 is quickly approaching.

Breach Notification Deadline Basics

The HIPAA Breach Notification Rule outlines specific actions that must be taken for all breaches, but it adds additional requirements based on the number of people impacted:

  • If a breach in the 2021 calendar year affected less than 500 individuals (small-scale), the notification must be made to the Secretary of Health and Human Services within 60 days of the end of the calendar year in which the breach occurred. This includes breaches of only one person’s PHI.
  • If multiple small-scale breaches occurred within a calendar year, they must all be reported within 60 days of the end of the year. The deadline to report any small-scale breach in 2021 is March 1, 2022.
  • If 500 or more patients are affected in a breach, it must be reported to the Secretary of Health and Human Services within 60 days of discovery, and notification must also be made to the news media.

Regardless of the size of the breach, all affected parties must receive breach notification letters within 60 days of the discovery of the breach, not the end of the year.

If ten or more individuals cannot be notified by mail, the breach notification must be posted on your organization's website for at least 90 days.

Things That Require HIPAA Breach Notification

Cybercrimes have dominated the news in the past year, but hacking and ransomware attacks are just two examples of incidents that could lead to a breach. Don’t forget these additional reasons to report a breach:

  • Unauthorized access or disclosure of PHI. When PHI is accessed or disclosed inappropriately by employees or unauthorized individuals. This can occur through paper/films, EMR/EHR, or email.
  • Theft or loss of an unencrypted device with access to PHI. When an unencrypted electronic device containing PHI is lost or stolen. This includes desktop computers, laptops, tablets, mobile phones, or other portable electronic devices with the potential to access PHI.
  • Improper disposal of medical records. When paper or electronic records are disposed of in a way that leaves them susceptible to unauthorized access. Paper records must be shredded, burned, pulped, or pulverized, rendering PHI unreadable and unable to be reconstructed. Electronic devices must be purged, cleared, or destroyed.

Help with the HIPAA Breach Notification Deadline

If you need guidance or have questions, the experts at Compliancy Group are happy to assist you. As an AOAExcel endorsed solution, Compliancy Group is dedicated to helping eye care professionals across the country succeed. Find out more about Compliancy Group and HIPAA compliance. Get compliant today!

Related News

HIPAA Annual Security Risk Assessment Deadline Approaching

Ensure you understand the six components of the mandatory HIPAA Annual Security Risk Assessment prior to the December 31st deadline.

Preventing Ransomware Attacks in Your Optometric Practice

With the recent rise in ransomware attacks within the healthcare industry it’s important to be aware of the latest trends. Bring these ransomware prevention tips to your next staff meeting.

Five Indicators of Phishing Emails

Take these 5 tips to your next staff meeting to help them identify malicious emails before they wreak havoc on your practice.