25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

March 1, 2025: Deadline for Submitting 2024 Data Breach Reports to OCR

Posted By on Feb 4, 2025

The deadline for submitting reports of 2024 data breaches affecting fewer than 500 individuals to the HHS’ Office for Civil Rights (OCR) is March 1, 2025. Late filing of breach reports will put HIPAA-regulated entities at risk of a financial penalty for non-compliance with the HIPAA Breach Notification Rule.

The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report data breaches to OCR, issue notifications to the affected individuals, and – for breaches affecting 500 or more residents of a state or jurisdiction – notify prominent media outlets serving that state or jurisdiction. All notifications must be issued without unreasonable delay and no later than 60 days after the date of discovery of a data breach. If there is insufficient contact information for 10 or more individuals, a substitute breach notice must be placed on the home page of the entity’s website for at least 90 days or the notice must be provided to major print or broadcast media where the affected individuals likely reside.

HIPAA-regulated entities have greater flexibility regarding notifications about data breaches affecting fewer than 500 individuals. Individual notifications must still be issued within 60 days of the date of discovery of a data breach; however, the regulated entity may submit reports of those breaches to OCR annually. The deadline for submitting reports of data breaches affecting fewer than 500 individuals to OCR is no later than 60 days after the end of the calendar year in which the breaches are discovered. For all data breaches discovered in 2024 that affected fewer than 500 individuals, OCR must be notified no later than March 1, 2025. Data breach reports must be submitted via the OCR data breach portal, with each data breach submitted separately.

If data breaches occur at a business associate of a HIPAA-regulated entity, the business associate must notify each affected covered entity within 60 days from the date of discovery of a data breach. It is ultimately the responsibility of each affected covered entity to ensure that breach notifications are issued within the appropriate time frame; however, covered entities are permitted to delegate the responsibility of issuing notifications to the business associate.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist