February 15, 2012 – Covered entities under the Health Information Technology for Economic and Clinical Health (HITECH) Act have by the end of February 2012 to report all data breaches affecting fewer than 500 individuals that they have experienced in the past year, to the Office for Civil Rights (OCR).
The HITECH Act of 2009 – which expanded the reach of the Health Insurance Portability and Accountability (HIPAA) Act – requires covered entities to send breach reports to the OCR within 60 days following the end of the calendar year in which a breach takes place.
The HITECH Act introduced the first federally mandated data breach notification requirement, which covers entities such as health care providers and pharmacies, and their business associates – including accounting firms, billing agencies, law firms or others that provide services to the entities.
Source: DataGuidance