You are here

HIPAA Breach Reporting Deadline is Almost Here

February 19, 2018


  • Evaluate
  • Mitigate
  • Manage
  • Restore
  • Improve

Healthcare providers and other HIPAA covered entities have until March 1, 2018 to report to the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) breaches involving fewer than 500 individuals that were discovered in the 2017 calendar year. Although covered entities must notify HHS of breaches involving 500 or more individuals within 60 days of the date the breach is discovered, breaches affecting fewer than 500 individuals may be documented in a breach log and reported on an annual basis. Covered entities who elect to report smaller breaches on an annual basis must make their submissions to HHS through the OCR online portal within 60 days after the end of the year in which the breaches were discovered, giving them a March 1, 2018 notification deadline.

If you have questions about your reporting obligations under HIPAA’s breach notification rule, 45 CFR §§ 164.400-414, please contact The Institute and speak to your dedicate patient safety consultant.


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.