Deadline for Reporting 2015 Data Breaches

The deadline for reporting 2015 data breaches is fast approaching. Covered entities must submit all 2015 data breach reports to OCR before the end of the month. The final date for submitting reports of security incidents that affected fewer than 500 individuals is February 29, 2016.

Deadline for Reporting 2015 Data Breaches – Monday February 29, 2016


The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows covered entities up to 60 days after the discovery of a large-scale data breach to report the incident to the Department of Health and Human Services’ Office for Civil Rights. A large data breach is defined as one which affects more than 500 individuals.

HIPAA also requires all covered organizations to report smaller data breaches, although they are considered lower priority. Small data breaches can be reported at any time during the calendar year in which they are discovered, although the maximum time limit for submission is 60 days from the end of the Calendar year in which they were first identified. Since 2016 is a leap year, the deadline for reporting small data breaches is February 29, 2016, and not March 1.

Filing Annual Healthcare Data Breach Reports


A covered entity may choose to submit breach reports on an annual basis; however, a log of data breaches cannot be provided to OCR. Each breach report must be submitted individually. The same data fields and descriptions must be provided to OCR as for large scale data exposures.

If the deadline for reporting 2015 data breaches is exceeded, it would be classed as a violation of the Breach Notification Rule and the covered entity could be penalized financially for that violation. The late delivery of a breach report may also trigger an HIPAA investigation, or earmark a covered entity for a HIPAA audit. Covered entities are therefore not advised to leave the reporting of data breaches to the last minute.

View financial penalties for HIPAA violations

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.