Provided by:  Jennifer Kirschenbaum, Esq.

December 19, 2017




Hi Jennifer, 

Do I have an obligation coming up to report on HIPAA?  Thought there was an annual requirement now?  What do I do?

Dr. P


Yep!  It's that time of year again...the time to self-report and hope to dodge review by a government agency! You have until the end of February to report breaches impacting less than 500 people from 2017.  For an overview of what you need to know and do, check out the webinar I already have posted on our webinar page, titled :"Is this a HIPAA Breach, and if so, What Now?" - (1 over and 1 down).  

The trickiest part of the disclosure requirement is being sure you are actually reporting a "breach" and not making  a mountain out of a "disclose" molehill.  Be sure to give your practice enough time to review any documented disclosures so that you are properly classifying which may actually have been a breach, and which do not actually constitute a breach.  Self-reporting is a big deal; if you do not self-report and a patient or employee or other makes a complaint and you had a duty to report, for sure, consequences will be more severe.  OCR is looking to make sure covered entities (practitioners) are employing preventative measures when it comes to HIPAA, so proper compliance in the first place, and reporting when necessary are major components to compliance and necessary.   (If you just haven't gotten it together yet on compliance, we are offering 10% off all compliance documents until the end of the year - check out 

All disclosures must be submitted to the Secretary using the Web portal below.  You may report all of the breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident. You must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.   If necessary, you can later submit a follow up with newly found information regarding a prior report by clicking the link and selecting “Addendum to Previous Report” and using the transaction number provided after its submission of the initial breach report

For general info put out by the government, click here -

If you just aren't sure a disclosure constitutes a breach, call Jennifer or Michael to discuss.  Certain situations will require an assessment.