Covered entities bound by the Health Insurance Portability and Accountability Act (HIPAA) and its breach notification rule must submit reports of breaches affecting fewer than 500 individuals by March 1, or 60 days after the calendar year in which the breaches occurred. Here’s the language explaining the report:

If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach.

Breaches must be reported to the Office for Civil Rights (OCR).


If you own or operate a small to medium-sized business, managing all your employees plus meeting federal labor laws and regulations can be daunting, especially with new rules being issued all the time. To help you understand your rights and responsibilities in every facet of running a business, please order a copy of Personnel Concepts’ All-On-One HR Compliance Program for Small Businesses.