Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

It’s Time to Report Small Breaches – Don’t Miss the Deadline

Summary:

HIPAA breaches involving less than 500 individuals during the calendar year 2015 must be reported to the U.S. Department of Health and Human Services (HHS) by Monday, February 29th, 2016. Why Do Small Breaches Need to be Reported? Every breach involving fewer than 500 individuals must be logged when it happens and reported to HHS […]

HIPAA breaches involving less than 500 individuals during the calendar year 2015 must be reported to the U.S. Department of Health and Human Services (HHS) by Monday, February 29th, 2016.

Why Do Small Breaches Need to be Reported?

Every breach involving fewer than 500 individuals must be logged when it happens and reported to HHS within 60-days of the end of the calendar year regardless of how minor the incident or how few individuals are involved. Often things that you may regard as a simple oversight or misunderstanding are actually defined by HIPAA as breaches.

Here are a few examples from the HHS website of small breaches that should be recorded in a breach log and reported at years’ end:

  • A municipal social service agency disclosed PHI while processing Medicaid applications by sending consolidated data to computer vendors that were not Business Associates.
  • A mental health center did not provide a notice of privacy practices to a father or his minor daughter, a patient at the center.
  • A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.
  • A grocery store based pharmacy chain maintained pseudoephedrine log books containing PHI in a manner so that individual PHI was visible to the public at the pharmacy counter.

You can view the full list of HHS examples here.

Will I Be Penalized for the Breaches that I Report?

No, you will not be penalized. Logging your breaches throughout the year demonstrates to HHS that you are doing your best to comply with HIPAA. You acknowledge when any PHI has potentially been compromised and that you have taken measures to make sure the same breaches do not happen again in the future.

Not logging breaches, however, can carry serious consequences as it is seen as a failure to cooperate by HHS. It is also a requirement for the appropriate employees in your organization to be trained specifically on how to log a breach. Should you receive an audit and your employees cannot demonstrate knowledge of the breach report logging process, you could be penalized.

What if My Business Associate Logged the Breach?

If your Business Associate logged the breach and you have designated them as responsible for reporting the breach, that is fine. However, you will want to review the breach report before they file it to make sure it is correct, and then follow up with them before February 29th to be sure that it has been filed.

Looking ahead

If you have logged breaches in 2015, make sure to report them to HHS by Monday, February 29th. You can begin the reporting process here.

If you didn’t log any breaches last year now is an excellent time to make sure you have a process in place for logging breaches and that your employees are trained on how to use it.

If you need help getting started, contact us today!

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Why do we need to test our Disaster Recovery Plan every year?

Why do we need to test our Disaster Recovery Plan every year?

Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

How to Maintain HIPAA Compliance in Public Cloud Environments

How to Maintain HIPAA Compliance in Public Cloud Environments

Storing ePHI in the public cloud offers scalability but requires a strict “Shared Responsibility” approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

How to Stay HIPAA Compliant with Audit Logs

How to Stay HIPAA Compliant with Audit Logs

HIPAA audit logs are a mandatory technical safeguard under the HIPAA Security Rule, designed to track and record system activity across your network. To ensure complete compliance, organizations must actively maintain and routinely review these logs to detect unauthorized access to electronic protected health information (ePHI). This guide covers federal hipaa audit log requirements, the essential six-year hipaa audit log retention rules, best practices for tracking digital and physical data access, and how utilizing a structured hipaa audit log template protects your organization from catastrophic data breaches and costly federal penalties.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)