A significant HIPAA reporting deadline is fast approaching for all covered entities.
For small breaches (affecting fewer than 500 individuals), a covered entity must notify the OCR within 60 days of the calendar year in which the breach was discovered. For 2022 reporting purposes, the deadline is March 1, 2023. While covered entities are not required to wait until the end of the calendar year to report small breaches, they must be submitted within this time frame. Separate notice must be submitted for each small breach not previously reported in the 2022 calendar year. Notice for a breach affecting fewer than 500 individuals can be submitted here.
Additional information on HHS breach reporting requirements can be found here.