45 C.F.R. § 164.408 requires covered entities that discover a breach of unsecured protected health information (“PHI”) to notify the Secretary of Health and Human Services within the time limit for notice to the individual and in the manner prescribed by the Department of Health and Human Services (“DHHS”) website. For breaches involving fewer than 500 individuals, the covered entity must maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification to DHHS in the manner specified on its website. Thus, you must report all breaches involving fewer than 500 individuals that occurred in 2013 to DHHS by February 28, 2014 (well, the 60th day is actually Saturday, March 1, this year, but why take a chance on late reporting?). Also, remember that, if it is a breach involving more than 500 individuals, you must provide DHHS notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.
Before you report, make certain that the incident is a reportable breach—that is, a breach of unsecured PHI in which the risk analysis demonstrates that it is reportable. Failure to make a required report would certainly constitute willful neglect, which carries the largest civil money penalties. For guidance as to whether particular HIPAA breaches are reportable, see my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, which is available on our Veterans Press website.