The window for HIPAA covered entities to report small data breaches for 2016 will close next week. Under the HIPAA regulations, covered entities must log all breaches involving less than 500 individuals that occurred during the calendar year. Covered entities then have until 60 days after the end of the calendar year to notify the U.S. Department of Health and Human Services (HHS) of all such breaches. This year, the deadline is March 1, 2017.

Failure to meet the deadline for reporting 2016 data breaches would constitute a violation of the HIPAA Breach Notification Rule, and such a failure could result in financial penalties. In addition, late breach reports could trigger an investigation by the HHS Office for Civil Rights (OCR), particularly in light of recent OCR guidance indicating that it will focus on and initiate investigations on small breaches.

All reports must be made to HHS via its online portal at Going forward, covered entities should note that while they may elect to provide an annual reporting of their small breaches, they are not required to wait until the end of the year to do so. Reporting breaches during the course of the year may be less burdensome for covered entities, as each incident must be submitted individually through the portal and covered entities cannot submit their breach logs. Covered entities should also keep in mind that large data breaches (i.e., those affecting 500 or more individuals) must be reported to HHS and the media within 60 days of the incident.