Question: We uncovered a small data breach in our practice that impacted about 225 patients. Do we need to contact anyone since the breach was so small and we contained it? AAPC Forum Participant Answer: Yes, no matter the size of the breach, you still must report to the Department of Health and Human Services (HHS). However, first make sure the event is an actual breach, which is defined by HHS as: “Generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” If you do uncover a HIPAA breach in your office, know that there are different timelines for reporting to the feds. The larger the breach, the shorter the turnaround time to let the feds know the details. Here’s a basic breakdown of what you need to remember when reporting the violation to HHS. Breaches that include more than 500 individuals: Breaches that include fewer than 500 individuals: Tip: Even a small practice can make an impact with HIPAA protocols by stopping breaches before they start and setting up business associate agreements (BAAs) that are compliant. The initial task of creating resources and office compliance protocols can be daunting, but it’s essential that you educate your staff and your business partners and set up a breach management plan.