Corporate Compliance

Compliance Q&A: Annual log of data breaches

Compliance Monitor, January 18, 2012

Q: I would like some direction on the annual log of breaches affecting fewer than 500 individuals to be sent annually to HHS. What information is needed on this log? To exactly whom do we send it? Is there a government form we need to use? Any help would be appreciated.

A: The breach notification rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured PHI (45 CFR 164.408). The appropriate forms can be found at

You must report breaches involving fewer than 500 individuals by March 1 of each year at the latest. This can be done all at once or as breaches occur; it is up to you.

For breaches involving 500 or more individuals, notification must be made without "unreasonable delay" and no later than 60 days after the discovery of the breach.

Editor’s note: Chris Simons, RHIA, originally answered this question in the January 2012 issue of the HCPro, Inc. newsletter, Medical Records Briefing. Simons is the director of utilization management and HIM, and privacy officer at Spring Harbor Hospital in Westbrook, ME.

Most Popular