There is an important deadline of March 1 for any Covered Entity or Business Associates (like agents) who had HIPAA Privacy & Security Small Breaches in 2016. On March 1, 2017: HIPAA Privacy Data Breach filings for 2016 are due to HHS. If a covered entity or business associate had one or more data breaches in 2016 that affected 500 or fewer individuals, you must notify HHS/OCR within 60 days of the end of 2016 of the breach; ie March 1. You may report earlier, but if you have not, you must do so by March 1. Even if you filed with the state (ie certain providers, etc.), you must still file the federal filings by March 1. If the breach affected 500 or more individuals, you are required to report without reasonable delay, but no later than 60 days after the discovery, so those filings may be past due.
Breach reports must be submitted online via OCR’s breach portal. The breach portal requires a separate fillable report for each breach.
If you have questions, you can call HHS OCR toll-free at 800-368-1019, or email OCRPrivacy@hhs.gov.
