HIPAA Compliance Training and Certification

HIPAA News

Due Date of 2024 Data Breach Reports Submission to OCR

by | Feb 22, 2025

March 1, 2025, is the last day for filing reports involving 2024 data breaches impacting less than 500 people to the HHS’ Office for Civil Rights (OCR). When breach reports are not filed on time, HIPAA-covered entities are considered non-compliant with the HIPAA Breach Notification Rule and might be put at risk of paying a financial penalty.

The HIPAA Breach Notification Rule calls for HIPAA-covered entities to submit data breach reports to OCR, and send notification letters to the impacted persons. With regards to breaches affecting 500 or over locals of a state or jurisdiction, the entity must inform popular media outlets available in the state or jurisdiction. Issuance of all notifications must be done without unreasonable delay and not after 60 days of discovering a data breach. In case, there are inadequate contact details for 10 and up people, it is necessary to post a substitute breach notice on the entity’s website home page for at least 90 days. Another option is to notify the primary print or broadcast media available in the state where the impacted persons reside.

HIPAA-covered entities are more flexible concerning notifications of data breaches impacting less than 500 people. Personal notifications should still be sent within 60 days of discovering a data breach; nevertheless, the covered entity could file reports of those breaches to OCR yearly. The due date for submitting reports of data breaches impacting less than 500 people to OCR is on or before 60 days after the last day of the calendar year wherein the breaches are identified. For all data breaches identified in 2024 that impacted less than 500 people, OCR should be informed on or before March 1, 2025. Data breach reports should be filed through the OCR data breach website, but every data breach is submitted separately.

When data breaches happen at a HIPAA-covered entity’s business associate, the business associate should inform each impacted covered entity within 60 days of discovering a data breach. It is eventually the duty of every impacted covered entity to make sure that breach notifications are mailed at the proper time; nevertheless, covered entities are allowed to assign the task of sending breach notifications to the business associate.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy