February 13, 2024
 
Question:
Hi Jennifer,
 
I believe my window to self report for HIPAA breaches is closing.  Can you please confirm and give me and explanation of what my next steps are? 

Thank you, 
Dr. K



Answer:

Dr. K, You are correct. At the end of February, the window closes to report breaches from last year, impacting less than 500 individuals. Whether a disclosure constitutes a breach and you have an obligation to report Is a separate question, and, arguably the more important one.  

Starting with the first question, when you have a duty to report, here is how you report - 
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html.  


Whether a disclosure constitutes a breach and warrants reporting is more complicated, as it requires in some instances a multi-factor test weighing mitigating circumstances.  https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.  I recommend having each instance of disclosure reviewed before self-determining a reporting obligation. So, for next steps, prior to reporting, let's discuss the circumstances, and, on a go-forward basis, I recommend a contemporaneous review, not retrospective In each instance, at the time, please share details so we can do a proper assessment at the time of the disclosure.