Small Healthcare Data Breach Reporting Deadline Set For March 1, 2026

February 22, 2026 Christine Garcia HIPAA Compliance Advice

The deadline for HIPAA-regulated organizations to report small healthcare data breaches affecting fewer than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights is March 1, 2026, for breaches discovered in calendar year 2025.

Reporting Requirements For Small Breaches Under HIPAA

As per the HIPAA Breach Notification Rule, covered entities and their business associates to notify HHS when they discover a breach of protected health information (PHI). Under HHS breach reporting guidance, if a breach compromised the PHI of fewer than 500 individuals, the breach must be submitted to the Secretary of HHS:
• not later than 60 days after the end of the calendar year in which the breach was discovered, although reporting may occur sooner.
• using the electronic breach reporting portal designated by OCR.

The covered entities must also notify the affected individuals within 60 days of discovering a data breach involving fewer than 500 individuals. Nevertheless, they are not required to publish a media notice.

Reporting Format And Timing Distinctions

The federal guidance on breach reporting specifies that:
• Breaches affecting 500 or more individuals must be reported without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches affecting fewer than 500 individuals must be reported during the extended period following the end of the calendar year when the breach was discovered.

HIPAA-regulated entities may report breaches affecting fewer than 500 individuals as soon as the breach is discovered or wait until the end of the calendar year, but the March 1, 2026 deadline applies for all such breaches discovered in 2025.

Enforcement And Compliance Context

Failure to report small healthcare data breaches by the applicable deadline may expose HIPAA-regulated organizations to OCR compliance reviews and potential financial penalties under the HIPAA Enforcement Rule; past federal enforcement actions demonstrate breach notification noncompliance has been cited in penalty assessments. In 2025, OCR had 21 HIPAA cases involving civil monetary penalties or settlements. Five of the cases involved HIPAA penalties due to breach notification failures.

About Christine Garcia 1247 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter