Small Breach Reporting Deadline

Today, February 29, 2024, is the deadline for reporting to the U.S. Department of Health and Human Services (HHS) all "small" breaches of unsecured protected health information (PHI) that occurred during calendar year 2023. A small breach involves fewer than 500 individuals. If you had a small breach in 2023, and haven’t reported it to HHS yet, you still have time. 

If you need help or have questions, contact us HERE.

HIPAA Breach Notice Requirements

  • Individual (Patient) Notice: Organizations must provide notification of all breaches to affected individuals without unreasonable delay—and no later than 60 days after discovery of a breach.
  • HHS Notice: Covered entities must also report ALL breaches to HHS. Large breaches involving 500 or more individuals must be reported to HHS when notice is sent to affected individuals.  Small breaches involving fewer than 500 individuals must be provided to HHS no later than 60 days after the end of the calendar year in which they were discovered - February 29, 2024 for breaches discovered in calendar year 2023. 

How Do We Report?
Covered entities report each small breach to HHS separately online HERE. Below are the essentials:

  • Designate someone in charge of the reporting – this should usually be the Privacy Officer. 
  • Prepare your response prior to submission – HERE is a link to the required information for reporting.
  • Retain confirmation from HHS of your online submission.
  • Be prepared for any follow up – make sure that you’ve taken all appropriate action in response to the breach and updated and/or adopted policies to ensure you are protecting against future similar events.   

Join us for CAPO in Clearwater Beach where you’ll learn everything about preventing, detecting and responding to breaches of PHI. Click HERE for more information or to register.


Industry News: