Organizations that experienced a data incident in 2019 affecting the protected health information (PHI) of less than 500 individuals have just a few more days to submit their notification to the U.S. Department of Health & Human Services' Office for Civil Rights (HHS/OCR).

Under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, a covered entity or business associate subject to HIPAA is required to report a breach that affected fewer than 500 people to HHS/OCR no later than 60 days after the end of prior calendar year.

This year, a covered entity or business associate has until March 1, 2020 to submit its 2019 small breach reports to the agency.  

Organizations that still need to report an incident to HHS/OCR can do so via the agency's online portal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.