If a Health Insurance Portability and Accountability Act (HIPAA)-covered entity experiences a data breach involving fewer than 500 individuals, the incident must be reported to the U.S. Department of Health and Human Services (HHS). The breach can be reported within the same 60-day timeframe in which the affected individuals are notified, just as larger breaches must be. Alternatively, covered entities can document the incident, then report it to the HHS Office for Civil Rights no later than 60 days after the end of the calendar year.
These breaches must be reported in the manner specified on the HHS website. The 2022 deadline to submit reports is March 1. Covered entities must still complete separate notices for each incident. The online notice form will require several pieces of information, including:
- contact and identification information for the entity reporting the breach
- identification of the type of incident involved
- the location of the breach
- the type of data involved
- a brief description of the incident
- identification of any safeguards implemented prior to the incident
- certain details regarding the provision of notice to individuals
- actions taken in response
More information is available on the HHS website. Covered entities should have systems in place to ensure that these incidents are reported as required.
