The HIPAA (Health Insurance Portability and Accountability Act) breach notification regulations require covered entities to self-report the unauthorized access, use or disclosure of unprotected protected health information (PHI) to the Office for Civil Rights (OCR).
If the data breach involves more than 500 individuals, the notification must be made to the OCR immediately. If the breach involves fewer than 500 individuals, the covered entity must notify the OCR before 60 days after the end of the calendar year (or February 28). Either way, the reporting is made through the OCR website and is fairly self-explanatory.
Many covered entities file their breach reports for breaches involving fewer than 500 individuals through the OCR website at the time they are notifying individuals, but many others wait until the deadline to self-report all such breaches.
Whether you decide to report at the time of the breach or at the end of the year, the deadline for reporting these incidents is fast approaching. If you haven’t taken care of the reporting obligation yet, now is the time to do so.