Covered entities are required to report any breach of unsecured protected health information (“PHI”) to the Secretary of the U.S. Department of Health & Human Services, Office of Civil Rights (“OCR”). A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. For breaches affecting fewer than 500 individuals, a covered entity must notify OCR within 60 days of the end of the calendar year in which the breach was discovered. For breaches occurring in 2015, the deadline is just four days away on February 29.
Covered entities can report all of its breaches affecting less than 500 individuals at the time of the breach discovery or report all on one date. A separate notice for each breach incident is required and must be submitted electronically through the OCR web portal.
If your organization experienced a breach of PHI in calendar year 2015, and the breach affected fewer than 500 individuals, you must report the breach by February 29, 2016. A breach can be reporting by clicking on the link below and completing all of the fields of the breach notification form.