If you are a "covered entity" under the Health Insurance Portability and Accountability Act ("HIPAA") and suffer a breach of protected health information, one of your first reactions should be to count the number of affected individuals, in order to determine whether you must report the breach to the HIPAA enforcement agency (the US Department of Health and Human Services Office for Civil Rights, or "OCR") at the same time you notify the affected individuals. If the breach involves 500 or more individuals, you must report the breach to OCR at the same time, and your entity's name will appear on OCR's "Wall of Shame" of "large" breaches.

However, you aren't entirely relieved of notifying OCR just because the breach involves fewer than 500 individuals; rather, every covered entity is required to report each "small" breach within 60 days of the end of the calendar year in which the breach occurred. In other words, before March 1 of this year, covered entities should review their HIPAA records from last year and determine if they had any reportable breaches and, if so, report those breaches to OCR.

Reporting small breaches is relatively easy and painless, but each breach can take 10 minutes or more to input on the form provided on OCR's website, which can be found HERE. Once at that website, click on "Breaches Affecting Fewer than 500 Individuals," then click on "Submit Notice of a Breach Affecting Fewer than 500 Individuals."