Under HIPAA rules, covered entities are required to report breaches of unsecured protected health information (PHI) to the Secretary of the Office of Civil Rights (OCR). The deadline for reporting breaches of PHI discovered during 2014 that affected fewer than 500 individuals is March 1, 2015.

The U.S. Department of Health & Human Services (HHS) OCR website states the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Breaches involving more than 500 individuals must be reported within 60 days of discovery of the breach.

Reports should be made electronically on the HHS OCR website.

What This Means to You

If you discovered a breach of unsecured PHI during 2014, you must take action. Breaches involving more than 500 individuals must be reported within 60 days of discovery of the breach. Breaches involving fewer than 500 individuals must be reported by March 1, 2015. If you fail to comply, you will be in violation of HIPAA, and penalties for noncompliance may be issued.