Provided by:  Jennifer Kirschenbaum, Esq.

December 20, 2022


Hi Jennifer,

What are the end of year HIPAA reporting requirements. Can you give me a refresher?

Thank you!
Dr. H


Provided by Clorissa Winters, Esq., of K&K's healthcare team - 

As we reach the close of the year it is important to remember not only the fun and happiness we shared throughout the year, but the mandatory HIPAA reporting and compliance measures.


It's the time of year to confirm compliance with the Office For Civil Rights' annual HIPAA breach reporting. Each covered entity needs to determine if they have any reportable breaches.  Generally, a breach is an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”  
If you believe you have reportable breaches (and you have confirmed with counsel, which we recommend), then you must submit one report for each breach that has occurred.  For breaches affecting more than 500 individuals, the covered entity must file a report “without unreasonable delay and in no case later than 60 days following a breach.”  For breaches affecting fewer than 500 individuals, a report must be made within 60 days of the end of the calendar year in which the breaches were discovered.  Do not wait until the last minute.  While the report itself is not long, the content you are providing is extremely important as this is your opportunity to explain what happened and what actions were taken by your practice to rectify the situation and prevent the breach from occurring in the future.  Some of the questions on the report that you should be prepared to answer include:
•    contact information for the practice and for a business associate if the breach occurred at or by the business associate;
•    dates the breach started, ended and was discovered;
•    number of individuals affected by the breach;
•    type and location of breach;
•    type of protected health information involved (ex: name, address, social security);
•    description of the breach and actions taken in response to breach 
•    safeguards in place prior to the breach; 
•    dates notice of breach given.

The link to electronically submit a report (one per breach) is  
For more information regarding the annual reporting process, please see OCR’S website available here (, or you can contact  Jennifer to discuss.  


In addition to end of year reporting requirements, it is the season for your annual Security Risk Assessment, which, if using the recommended HealthIT developed tool, will assess the three major safeguards protecting PHI: technical, administrative and physical. The federal government offers a Security Risk Assessment Tool that helps determine your risk, available at

A bit about each section of assessment - 
1. HIPAA security technical safeguards include access control audit controls, integrity, person or entity authentication and transmission security.

2,  HIPAA administrative safeguards include security management process, assigned security responsibility, workforce security, management security awareness and training, security incident procedures, a contingency plan, ongoing evaluation and business associate contracts and other arrangements drafted by an attorney.

3,  HIPAA physical safeguards include facility access controls, workstation use, workstation security and device and media controls. HIPAA requires certain safeguards and recommends others. Complying with HIPAA is an ongoing process that requires audits, evaluations and reevaluations. 

We recommend working with your IT provider to complete your practice's annual Security Risk Assessment.  

For assistance assessing your end of year reporting obligation, if any, or to talk HIPAA with our team in general, please reach out to Taryn at or (516) 747-6700 x 310.

For small practice solutions, we also offer a suite of compliance forms available here -