Healthcare data breaches discovered in calendar year 2025 that affected fewer than 500 individuals must be reported to the HHS’ Office for Civil Rights by March 1, 2026.

The HIPAA Breach Notification Rule requires data breaches affecting 500 or more individuals to be reported to OCR within 60 days of the discovery of a data breach. Individuals must also be notified within 60 days, and a notice must be submitted to prominent media outlets where the affected individuals are located if 500 or more individuals are affected in a state or jurisdiction.

The breach notification requirements for small breaches are different. The affected individuals must still be notified within 60 days of the discovery of a data breach; however, a media notice is not required. OCR must still be notified about small healthcare data breaches, but HIPAA-regulated entities can delay submitting notifications to OCR. All small healthcare data breaches must be reported to OCR within 60 days of the end of the calendar year when the breach was discovered.

Each small data breach must be reported separately via the OCR data breach portal. HIPAA-regulated entities should not leave uploading data breach reports until the last minute, in case of any technical issues with the data breach portal. Late reporting of breaches puts HIPAA-regulated entities at risk of a financial penalty, and OCR could opt to conduct a compliance investigation to determine if there is broader noncompliance with the HIPAA Rules.

Financial penalties for breach notification failures have been relatively rare since the HIPAA Enforcement Rule was enacted; however, in 2025, noncompliance with the HIPAA Breach Notification Rule was the second most common reason for financial penalty after risk analysis failures. Last year, OCR closed 21 HIPAA cases with settlements or civil monetary penalties, 5 of which included penalties for breach notification failures.

The post March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline appeared first on The HIPAA Journal.