Small Breaches must be reported by February 29, 2012


A reminder that reports of HIPAA breaches that occurred in 2011 involving fewer than 500 individuals must be submitted to HHS by February 29, 2012.

The breach notification rule requires covered entities to report all breaches of unsecured protected health information (45 CFR 164.408). The number of individuals affected by the breach determines when the notification must be submitted.

Large breaches, involving 500 or more individuals, must be reported no later than 60 days after discovery of the breach in addition, individuals who are affected by the breach must be notified.

Smaller breaches, involving fewer than 500 individuals, must be documented on a breach log and reported annually within 60 days of the end of the calendar year.

All breaches occurring in 2011 that affected fewer than 500 individuals must be reported no later than February 29, 2012.

For more information or to report your breach, visit: