The Department of Health and Human Services has provided online forms to submit breaches of protected health information under HIPAA. You can go to http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html to read more and to submit a form.
The breach notification interim final rule requires covered entities
to provide the Secretary with notice of breaches of unsecured protected
health information (45 CFR 164.408). The number of individuals
affected by the breach determines when the notification must be
submitted to the Secretary.
Breaches Affecting 500 or More Individuals
If
a breach affects 500 or more individuals, a covered entity must provide
the Secretary with notice of the breach without unreasonable delay and
in no case later than 60 days from discovery of the breach. This
notice must be submitted electronically by following the link below and
completing all information required on the breach notification form.
Breaches Affecting Fewer than 500 Individuals
For
breaches that affect fewer than 500 individuals, a covered entity must
provide the Secretary with notice annually. All notifications of
breaches occurring in a calendar year must be submitted within 60 days
of the end of the calendar year in which the breaches occurred.
Notifications of all breaches occurring after the effective date in
2009 must be submitted by March 1, 2010.
If
a covered entity that has submitted a breach notification form to the
Secretary discovers additional information to report, the covered
entity may submit an additional form, checking the appropriate box to
signal that it is an updated submission.