HIPAA requires that covered entities notify the Office for Civil Rights (OCR) of any breaches of unsecured protected health information that affects less than 500 individuals in a calendar year within 60 days following the end of the calendar year.
Therefore, all breaches that affected less than 500 individuals that occurred in 2022 and have