Covered Entities are required to report breaches of unsecured Protected Health Information ("PHI") involving fewer than 500 individuals to the Office of Civil Rights ("OCR") of the federal Department of Human Services within 60 days of the end of the calendar year in which the breach occurred. Accordingly, a breach occurring in 2015 must be reported to OCR no later than February 29, 2016.
These reports can be made online via the OCR's website. The Report/Notification page can be accessed here:
If your organization identified a reportable breach in 2015, and has yet to submit a notice of the breach to OCR, you will need to do so by the February 29, 2016 deadline. If you have any questions regarding this reporting requirement, or would like guidance on preparing your report, please do not hesitate to contact David Marshall via email, or call (717) 620-2424.