A significant number of the reported HIPAA data breaches for March were reported by health plans, in fact three of the four largest HIPAA breaches for the month were from health plans. A majority of these incidents involved hacking of network servers.
A "covered entity" must notify the Health and Human Services or HHS if it discovers a breach of unsecured protected health information. See 45 C.F.R. § 164.408. All notifications must be submitted to the Secretary of HHS using the web portal found at HHS.gov.
The HIPAA reporting rules that require government reporting change based on the number of individuals impacted. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. For larger breaches, entities must report breaches "without unreasonable delay" and in no case later than 60 calendar days from the discovery of the breach. Please note, other laws including state reporting requirements and individual reporting may have earlier timeframes.
As required under § 13402 of the HITECH Act, HHS must post a list of the breaches affecting 500 or more individuals which is also reported to congress. For assistance with HIPAA reporting requirements, please contact Kinney & Larson LLP.