Covered entities that experienced a breach (or breaches) of protected health information (PHI) have 60 days after the end of the calendar year to submit reports to the Office for Civil Rights (OCR), making this year’s deadline Monday, Feb. 29.

The year-end rule applies to breaches of fewer than 500 individuals; breaches affecting 500 or more individuals must be reported within 60 days of discovering the breach.

Individuals’ personal medical information, or PHI, is guarded by the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

OCR maintains an online portal for filing breach reports.


If you own or operate a small to medium-sized business, managing all your employees plus meeting federal labor laws and regulations can be daunting, especially with new rules being issued all the time. To help you understand your rights and responsibilities in every facet of running a business, please order a copy of Personnel Concepts’ All-On-One HR Compliance Program for Small Businesses.