HIPAA covered entities, which include group health plans, are required to notify the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) of “small” breaches (those affecting less than 500 individuals) of unsecured protected health information. The deadline to notify HHS is March 1st following the calendar year in which the breach is discovered.

For “small” breaches that were discovered in the prior calendar year, HIPAA covered entities must report by March 1st.

Who is subject to the HIPAA breach notification requirements?

The HIPAA breach notification requirements apply to HIPAA covered entities. HIPAA covered entities include:

  • Health plans;
  • Health care clearinghouses; and
  • Health care providers who conduct certain financial and administrative transactions electronically.

Employer HIPAA breach notification obligations depend on the design of their group health plans.

  • For employers with fully insured medical plans, the HIPAA breach notification requirements are the responsibility of the carrier.
  • For employers with self-insured medical plans, the HIPAA breach notification requirements are the responsibility of the group health plan and the employer, as the plan sponsor. Most self-insured employers use a third-party administrator (TPA) to administer their plan and, as such, rely on their TPA to assess and respond to breaches and handle the breach notification requirements. This TPA obligation is usually agreed upon through contractual provisions. Self-insured employers who are unsure whether their TPA will handle any breach requirements should review their TPA contracts.

What are the HIPAA breach notification requirements?

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information or “PHI.” PHI is individually identifiable health information created or received by the group health plan, which relates to past, present, or future health care or payment for health care.

Covered entities must provide notification of the breach to affected individuals, to HHS, and in cases where the breach affects more than 500 residents of a state or jurisdiction, to the media. Below, we discuss the breach notification requirements to HHS for “small” breaches (those that affect less than 500 individuals).

For more on the breach notification rule, see this HHS webpage.

What is a breach of PHI?

A breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed unless a covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following:

  • The nature and extent of the PHI involved, including the types of identifiers, and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Covered entities that are unsure whether a breach has occurred should consult with legal counsel.

How do covered entities notify HHS of small breaches?

Covered entities must submit a notice of a “small” breach by visiting the HHS website and filling out and electronically submitting a breach report form. Covered entities must submit a form for each small breach.

When must covered entities notify HHS?

For breaches that affect fewer than 500 individuals, the covered entity must notify HHS no later than 60 days after the end of the calendar year (i.e., March 1st) in which the breach is discovered.

For breaches that affect 500 or more individuals, the covered entity must notify HHS “without unreasonable delay” and no later than 60 days following the breach.

What information must be provided to HHS? 

In the breach report form, covered entities must include the:

  • Covered entity’s or business associate’s information and point of contact;
  • Number of individuals affected by the breach;
  • Breach dates and date of discovery;
  • Type of breach (e.g., hacking/IT, improper disposal, loss, theft, unauthorized access);
  • Location of the breach;
  • Type of information involved in the breach (e.g., clinical, demographic, financial);
  • Type of PHI involved in the breach;
  • Description of the breach;
  • Safeguards in place prior to the breach;
  • When notice was provided to individuals and the media (if required); and
  • Actions taken in response to the breach.

HHS provides a sample breach report form that covered entities can reference.

Employer Action

Any self-insured employers whose group health plan experienced a “small” breach of PHI should ensure that they or their TPA submits a breach report form to HHS before March 1st.

Additional Resources

Disclaimer: The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog. © 2023 Sequoia. All Rights Reserved.

Emerald Law — Emerald is a Senior Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline benefits compliance. In her free time, Emerald enjoys stand-up comedy, live music, and writing non-fiction.