The Department of Health and Human Services has provided online forms to submit breaches of protected health information under HIPAA.  You can go to http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html to read more and to submit a form.

The breach notification interim final rule requires covered entities to provide the Secretary with notice of breaches of unsecured protected health information (45 CFR 164.408).  The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. 

Breaches Affecting 500 or More Individuals

If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.

Breaches Affecting Fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually.  All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches occurring after the effective date in 2009 must be submitted by March 1, 2010.  

If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.