The breach notification interim final rule requires covered entities to submit to the Office for Civil Rights (OCR) notice of breaches of unsecured protected health information (PHI) (45 C.F.R. 164.408) by March 1, 2013. For breaches affecting fewer than 500 individuals, a covered entity must submit to OCR its annual notification of all breaches occurring in a calendar year within 60 days of the end of the calendar year in which the breaches occurred. This notice must be submitted electronically by completing all information required on the breach notification form, located online. A separate form must be completed for each breach that has occurred during the calendar year. Covered entities should analyze each potential breach under the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations, including a documenting incident reports, risk of harm analyses, and notification documents, where applicable. BakerHostetler works with clients in determining which incidents to include on the annual report so that the covered entity does not set a precedent that could prejudice it in a future large breach.