OCR Breach Reporting: 2018 “Small Breach” Report Due Friday, March 1st

Healthcare Alert

Client Alert


Don’t forget that the required end-of-the-year reporting of any small breaches of unsecured protected health information (PHI) that were discovered in 2018 is coming up. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers and health plans that are covered entities under HIPAA must report breaches of unsecured PHI affecting fewer than 500 individuals annually to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) within 60 days of the end of the year in which the breach was discovered, so reporting of breaches discovered in 2018 will be due Friday, March 1, 2019. Reports may be made through OCR’s website.

These small breaches should have already been reported to each of the affected individuals within 60 days of discovering the breach. The reports to OCR should include the actions the covered entity has taken to mitigate and remediate any harmful effects of such breaches, even those affecting a single individual. Reports to OCR of large breaches (those affecting 500 or more individuals) must be made at the time of reporting to the affected individuals—that is, without unreasonable delay and in no case later than 60 days from the discovery of the breach.