Covered Entities are required to report breaches of unsecured Protected Health Information (“PHI”) involving fewer than 500 individuals to the Office of Civil Rights (“OCR”) of the federal Department of Human Services within 60 days of the end of the calendar year in which the breach occurred. Accordingly, a breach occurring in 2021 must be reported to OCR no later than Tuesday, March 1, 2022.
These reports can be made online via the OCR’s website. The Report/Notification page can be accessed here:
Submitting Notice of a Breach to the Secretary | HHS.gov
If your organization identified a reportable breach in 2021, and has yet to submit a notice of the breach to OCR, you will need to do so by the March 1, 2022 deadline.
If you have any questions regarding this reporting requirement, or would like guidance on preparing your report, please do not hesitate to contact David Marshall via email at dmarshall@ldylaw.com or call (717) 620-2424.