HIPAA-covered entities must report small data breaches of protected health information (PHI) affecting fewer than 500 individuals to the Office for Civil Rights (OCR) by March 1. ┬áThe law allows for 60 days to elapse at the close of a calendar year before that year’s small breaches must be reported to OCR.

When the breach itself occurs, however, the HIPAA-covered entity must report it to those affected within 60 days.

Breaches must be reported separately but can be done online.