HIPAA-covered entities must report small data breaches of protected health information (PHI) affecting fewer than 500 individuals to the Office for Civil Rights (OCR) by March 1.  The law allows for 60 days to elapse at the close of a calendar year before that year’s small breaches must be reported to OCR.

When the breach itself occurs, however, the HIPAA-covered entity must report it to those affected within 60 days.

Breaches must be reported separately but can be done online.