HIPAA requires that covered entities notify the Office for Civil Rights (OCR) of any breaches of unsecured protected health information that affects less than 500 individuals in a calendar year within 60 days following the end of the calendar year.

Therefore, all breaches that affected less than 500 individuals that occurred in 2022 and have not already been reported to the OCR must be reported no later than March 1, 2023.

These breaches can be reported to the OCR through its online portal:  https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.