Under the Breach Notification Rule, HIPAA covered entities have until March 1 to submit reports of small breaches that occurred during calendar year 2016 to HHS' Office for Civil Rights.
As outlined in The National Law Review, HIPAA requires entities to report breaches affecting fewer than 500 individuals no later than 60 days after the end of the calendar year. This year, that date falls on March 1. Additionally, covered entities must notify individuals affected by the small breach no later than 60 days after the breach, according to a Hall Render blog post.
Covered entities can submit a report for each breach via this online portal.