Don’t forget that March 1, 2015, is the deadline for covered entities to report all HIPAA breaches discovered in 2014 involving less than 500 individuals. The reports must be made to the Department of Health and Human Services (HHS) website, which can be found here.

You will notice that HHS has made some changes to the report form. Most importantly the new HHS form asks covered entities to describe whether they had certain safeguards in place prior to the breach. If a covered entity had multiple breaches in 2014, each breach must be reported separately. Be sure to keep a copy of all breach reports submitted to HHS for at least six years.