By March 2, 2022, HIPAA covered entities (healthcare providers, health plans, and healthcare clearinghouses) must report all 2021 breaches of unsecured PHI that affected fewer than 500 individuals to the Office for Civil Right for the U.S. Department of Health & Human Services (OCR).  Covered entities must submit these reports through the HHS web portal, located here.

This is a separate reporting process from breaches that affect more than 500 individuals, which must be reported to the OCR and local media when they occur.

Covered entities should have a detailed HIPAA incident log for each breach incident.  Such a log helps with easier reporting to OCR and should include the following items:

  • Breach tracking number (if you have one)
  • Breach dates, start and end
  • Breach discovery date
  • Number of individuals affected by the breach
  • Type of breach (i.e., hacking incident, improper disposal, lost, theft, unauthorized access, etc.)
  • Location of breach (i.e., desktop, EMR/EHR, email, mobile device, server, paper, etc.)
  • Type of PHI involved (i.e., clinical, demographic, financial, sensitive information, etc.)
  • Brief description of the breach
  • Safeguards in place prior to the breach
  • Dates for transmission of individual notices
  • Substitute notice options (if applicable)
  • Media notice (if applicable)
  • Mitigation efforts and other actions take in response to the breach

Further information on Breach Portal Required Information can be found here.

Please plan accordingly for your reporting needs.  While you may submit all breach reports on one date, you must submit a separate report for each breach incident.  And if you discover additional information that supplements, modifies, or clarifies a previously submitted report, you should amend your report by addendum through the OCR portal, referencing the transaction number from the initial breach report.