A covered entity must notify the Secretary if it discovers a breach of unsecured protected health information.
HIPAA requires that covered entities provide breach notification to affected individuals without unreasonable delay—and not later than 60 days after discovery. Covered entities also must report small breaches (involves fewer than 500 individuals) to OCR no later than 60 days after the calendar year in which the small breaches were discovered.
Small breaches discovered in 2017, must be reported to HHS by March 1, 2018.
Covered entities are required to report each small breach separately to HHS online. You can find the HHS online form here.