Every year, we remind our clients that the HIPAA Breach Notification
Rule (45 C.F.R. § 164.408) requires covered entities to notify the
Secretary of the Department of Health and Human Services via the Office
for Civil Rights (OCR) of any reportable small data breaches within 60
days of the end of the calendar year in which the data breach occurred;
small breaches are those involving fewer than 500 records. In most
years, the deadline for reporting small data breaches is March 1,
however because this is a leap year all covered entities must notify OCR
one day earlier than usual, by February 29, 2020.
All breaches must be submitted via the OCR’s self-reporting breach portal.
Note that covered entities must report each data breach separately;
because complete information is required for each breach, this process
can take some time if two or more small data breaches occurred within a
single calendar year. For this reason, we strongly recommend timely
reporting of breaches ahead of the deadline to avoid incurring financial
penalties. To ensure compliance, many covered entities elect to provide
notification to OCR simultaneously with individual notice. For breaches
involving an undetermined number of affected individuals, an estimate
can be included in the breach report and an addendum can be submitted
once the actual number is known.”