If you are a covered entity who experienced a breach of unsecured protected health information affecting fewer than 500 individuals , you must notify the Office of Human Rights of the Department of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered.  For breaches that occurred in calendar year 2019, that deadline is February 29, 2020.

To report a breach, go to the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, which is at https://ocrportal.hhs.gov/ocr/breach/breach_form.jsf.   That link will take you to a step-by-step process which walks you through how to submit the required disclosures.  Since you cannot move past a screen on this site without entering data, you may want to download and print this OCR document which lists all the information you will need for your report: https://ocrportal.hhs.gov/ocr/breach/doc/Breach%20Portal%20Questions%20508.pdf.

Note that you must submit the notice electronically via the OCR portal.

Also note that a covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals.  A covered entity may report such breaches at the time they are discovered.

You may report all of your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident.

If you are a business associate who is required to report breaches on behalf of a covered entity under the terms of the applicable business associate agreement, you may also use this portal.