By March 2, 2022, HIPAA covered entities (healthcare providers, health plans, and healthcare clearinghouses) must report all 2021 breaches of unsecured PHI that affected fewer than 500 individuals to the Office for Civil Right for the U.S. Department of Health & Human Services (OCR). Covered entities must submit these reports through the HHS web portal,