Every year, we remind our clients that the HIPAA Breach Notification Rule (45 C.F.R. § 164.408) requires covered entities to notify the Secretary of the Department of Health and Human Services via the Office for Civil Rights (OCR) of any reportable small data breaches within 60 days of the end of the calendar year in which the data breach occurred; small breaches are those involving fewer than 500 records. In most years, the deadline for reporting small data breaches is March 1, however because this is a leap year all covered entities must notify OCR one day earlier than usual, by February 29, 2020.
All breaches must be submitted via the OCR’s self-reporting breach portal. Note that covered entities must report each data breach separately; because complete information is required for each breach, this process can take some time if two or more small data breaches occurred within a single calendar year. For this reason, we strongly recommend timely reporting of breaches ahead of the deadline to avoid incurring financial penalties. To ensure compliance, many covered entities elect to provide notification to OCR simultaneously with individual notice. For breaches involving an undetermined number of affected individuals, an estimate can be included in the breach report and an addendum can be submitted once the actual number is known.”