March 1 HIPAA Breach Deadline: What to Report

Chuck Weiselberg
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
8 min read

Here’s a deadline that catches habits off guard every single year: March 1.

If your practice had any data breach in 2025 that affected fewer than 500 people, you have until March 1, 2026 to report it to the HHS Office for Civil Rights. Not March 15. Not “sometime this spring.” March 1.

Miss it, and you’re looking at a possible HIPAA breach on top of the breach itself.

The frustrating part? Most habits that miss this deadline aren’t being careless — they genuinely didn’t know it existed. The 500-person threshold gets all the attention. Breaches above that number trigger immediate notices, media alerts, and land you on HHS’s public “Wall of Shame.” The smaller ones fly under the radar, and the annual reporting rule goes unnoticed until an auditor asks about it.

And the stakes keep going up. In 2025, 710 large healthcare data breaches were reported to OCR, affecting tens of millions of patients. But that’s less than 10% of all breach reports — the vast majority are these smaller incidents that most habits don’t realize they need to report. The healthcare breach trend is only accelerating.

What the HIPAA Breach notice Rule Actually Says

Under HIPAA’s Breach notice Rule, covered groups — that’s you, if you’re a healthcare provider, health plan, or healthcare clearinghouse — must report all breaches of unsecured health data to OCR.

The difference is timing:

  • 500+ people affected: Report within 60 days of discovering the breach. No waiting.
  • Fewer than 500 people: You have until 60 days after the end of the calendar year in which the breach occurred. For breaches discovered in 2025, that’s March 1, 2026.

You can report small breaches throughout the year as they happen, or batch them all in one submission. Either way works. What doesn’t work is skipping it entirely or missing the March 1 cutoff.

What Counts as a Reportable HIPAA Breach?

This is where a lot of habits get confused — or talk themselves out of reporting when they should.

A breach, under HIPAA, is any unapproved getting, access, use, or sharing of unsecured protected health information. The “unsecured” part matters: if the PHI was encrypted and the data scrambling key wasn’t compromised, it usually doesn’t trigger reporting rules. That’s one reason the new Security Rule makes data scrambling mandatory — encrypted data isn’t a reportable breach.

Here are the situations that most commonly create small breaches at medical habits:

Lost or stolen unencrypted devices. A laptop left at a coffee shop. A smartphone stolen from a car. A USB drive that went missing after a conference. If the device held patient data and wasn’t encrypted, that’s a reportable breach — even if you never find evidence anyone actually accessed the data.

Misdirected faxes or emails. Sending a patient’s records to the wrong fax number. Emailing lab results to the wrong patient. These are more common than most habits admit, and yes, they count.

Employee snooping. A staff member looked up their neighbor’s chart out of curiosity. A biller accessed records for patients they had no business reason to view. If it was unapproved access, it’s a breach — even if the employee had legitimate system access for other reasons.

Paper records in the wrong hands. Superbills left in a waiting room. EOBs mailed to an old address. Medical charts disposed of in regular trash instead of a shredder.

Vendor incidents. Your billing company emailed a spreadsheet of patient data to the wrong person. Your EHR vendor had a server issue that exposed records. If it involved your patients’ PHI, you may still have reporting duties even if it was entirely the vendor’s fault. This is why your business associate agreements need to be airtight — and why you need a plan for when a vendor gets hacked.

There’s one important exception worth knowing: if an employee accidentally accessed PHI in good faith while acting within their normal job duties, and no further sharing happened, that may not be reportable. But that exception is narrow. When in doubt, treat it as a breach and do your analysis.

The 4-Factor Risk review Before Reporting

Before you report — or decide not to — HIPAA requires you to do a risk review. OCR wants you to check four factors:

  1. The nature and extent of the PHI involved — Names and appointment dates are less sensitive than mental health records, HIV status, or Social Security numbers.
  2. Who accessed or could have accessed it — Was the fax received by another healthcare provider who recognized the error? Or did it go to a random residential number?
  3. Whether the PHI was actually viewed or acquired — If a misdirected email bounced back right away, that’s different from one that was opened and forwarded.
  4. How far the risk has been mitigated — Did you recover the mailed envelope? Did the recipient confirm deletion?

If your analysis shows there’s a “low probability” that the PHI was compromised based on all four factors, you may not have a reportable breach. But you still need to record your analysis. If OCR ever asks, you need to show your work — not just assert that you decided it wasn’t a big deal.

This written records is exactly the kind of thing that matters in an review. OCR looks at patterns. A written down risk review shows a mature rule-keeping program. A blank file where the breach log should be tells OCR everything they need to know about how seriously you take this. And OCR fines are only getting bigger.

How to Report a Small Breach to OCR (Step by Step)

Go to HHS’s breach notice portal at hhs.gov/hipaa/for-professionals/breach-notice/breach-reporting. You’ll fill out an online form that asks for:

  • Your group’s name and contact information
  • Type of covered group
  • Date the breach occurred and date you discovered it
  • Number of people affected
  • What type of PHI was involved (names, SSNs, financial information, etc.)
  • How the breach happened
  • What protections were in place at the time
  • What steps you’ve taken in response

The form isn’t complicated, but it does require specificity. Have your incident written records ready before you start.

One key distinction: reporting to OCR is separate from notifying affected people. You still have to notify the actual patients. For breaches under 500 people, person notice must be sent within 60 days of discovering the breach — not 60 days after the end of the year. The annual March 1 deadline is only for OCR reporting. Your patients need to hear from you much sooner.

What Happens If You Miss the March 1 Deadline?

OCR has enforcement discretion, which means they don’t on its own fine every practice that submits a late report. But missing the deadline is itself a HIPAA breach, and it factors into how OCR views your rule-keeping program overall.

More importantly: if you miss the deadline and OCR later investigates you for something else, they will look at your breach log. A pattern of unreported or late-reported breaches signals that your rule-keeping program has gaps. That’s when discretionary enforcement starts looking less lenient.

The habits that get in serious trouble aren’t usually the ones that had a breach. They’re the ones that tried to pretend the breach didn’t happen. We’ve seen this pattern play out with $6.6 million in HIPAA fines in 2025 alone — and the penalty amounts increased again for 2026.

Build a Simple HIPAA Breach Log Now

If you don’t already have one, create a simple breach log today. A spreadsheet works fine. Track:

  • Date of incident
  • Date discovered
  • Nature of the incident
  • PHI involved and approximate number of people
  • Risk review outcome (reportable vs. not reportable, with reasoning)
  • Date patient notice sent
  • Date reported to OCR (or reason not reported)

Review it quarterly. Any time something happens that might be a breach — lost laptop, wrong-number fax, employee access complaint — record it right away while the facts are fresh. Your future self, and your rule-keeping attorney, will thank you.

This breach log feeds directly into your annual risk review, which the new HIPAA Security Rule will require every 12 months. Building the habit now saves you scrambling later.

The March 1 Deadline Checklist

If you’re reading this before March 1, 2026, here’s your action plan:

  1. Pull your incident records for 2025. Every misdirected fax, lost device, employee complaint, vendor notice — anything that could be a breach.
  2. Run the 4-factor risk review on each incident you haven’t already analyzed.
  3. For reportable incidents, file at OCR’s breach portal before March 1.
  4. Confirm person notices were sent within 60 days of discovery for each incident.
  5. Document everything in your breach log — including incidents you determined were not reportable (with your reasoning).
  6. Set a calendar reminder for March 1, 2027 right now. This deadline repeats every year.

March 1 is the deadline. If you had any incidents in 2025, check your log and get them reported.

Need help building a breach response process or figuring out whether a past incident was reportable? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services

Keep Reading

All Articles