25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline

Posted By on Feb 18, 2026

Healthcare data breaches discovered in calendar year 2025 that affected fewer than 500 individuals must be reported to the HHS’ Office for Civil Rights by March 1, 2026.

The HIPAA Breach Notification Rule requires data breaches affecting 500 or more individuals to be reported to OCR within 60 days of the discovery of a data breach. Individuals must also be notified within 60 days, and a notice must be submitted to prominent media outlets where the affected individuals are located if 500 or more individuals are affected in a state or jurisdiction.

The breach notification requirements for small breaches are different. The affected individuals must still be notified within 60 days of the discovery of a data breach; however, a media notice is not required. OCR must still be notified about small healthcare data breaches, but HIPAA-regulated entities can delay submitting notifications to OCR. All small healthcare data breaches must be reported to OCR within 60 days of the end of the calendar year when the breach was discovered.

Each small data breach must be reported separately via the OCR data breach portal. HIPAA-regulated entities should not leave uploading data breach reports until the last minute, in case of any technical issues with the data breach portal. Late reporting of breaches puts HIPAA-regulated entities at risk of a financial penalty, and OCR could opt to conduct a compliance investigation to determine if there is broader noncompliance with the HIPAA Rules.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Financial penalties for breach notification failures have been relatively rare since the HIPAA Enforcement Rule was enacted; however, in 2025, noncompliance with the HIPAA Breach Notification Rule was the second most common reason for financial penalty after risk analysis failures. Last year, OCR closed 21 HIPAA cases with settlements or civil monetary penalties, 5 of which included penalties for breach notification failures.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist