Provided by: Jennifer Kirschenbaum, Esq.
February 13, 2024
Question:
Hi Jennifer,
I believe my window to self report for HIPAA breaches is closing. Can you please confirm and give me and explanation of what my next steps are?
Thank you,
Dr. K
Answer:
Dr. K, You are correct. At the end of February, the window closes to report breaches from last year, impacting less than 500 individuals. Whether a disclosure constitutes a breach and you have an obligation to report Is a separate question, and, arguably the more important one.
Starting with the first question, when you have a duty to report, here is how you report - https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html.
Whether a disclosure constitutes a breach and warrants reporting is more complicated, as it requires in some instances a multi-factor test weighing mitigating circumstances. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html. I recommend having each instance of disclosure reviewed before self-determining a reporting obligation. So, for next steps, prior to reporting, let's discuss the circumstances, and, on a go-forward basis, I recommend a contemporaneous review, not retrospective In each instance, at the time, please share details so we can do a proper assessment at the time of the disclosure.
Hi Jennifer,
I believe my window to self report for HIPAA breaches is closing. Can you please confirm and give me and explanation of what my next steps are?
Thank you,
Dr. K
Answer:
Dr. K, You are correct. At the end of February, the window closes to report breaches from last year, impacting less than 500 individuals. Whether a disclosure constitutes a breach and you have an obligation to report Is a separate question, and, arguably the more important one.
Starting with the first question, when you have a duty to report, here is how you report - https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html.
Whether a disclosure constitutes a breach and warrants reporting is more complicated, as it requires in some instances a multi-factor test weighing mitigating circumstances. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html. I recommend having each instance of disclosure reviewed before self-determining a reporting obligation. So, for next steps, prior to reporting, let's discuss the circumstances, and, on a go-forward basis, I recommend a contemporaneous review, not retrospective In each instance, at the time, please share details so we can do a proper assessment at the time of the disclosure.
