Delaying Breach Notifications is a Violation of the Breach Notification Rule
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities to notify the HHS’ Office for Civil Rights of a breach of unsecured protected health information and send notification letters to affected individuals without unreasonable delay and no later than 60 days after the discovery of the breach.
As last year’s monthly Breach Barometer reports from Protenus have shown, many covered entities have struggled to comply with the HIPAA Breach Notification Rule and have disclosed their breaches to OCR after the deadline has passed.
This year has seen a major improvement in reporting times. The Protenus 2017 Breach Barometer Mid-Year Review shows that between January and June, it took an average of 54.5 days from the discovery of a breach to notify OCR.
A look back at the Breach Barometer report for January shows just how much the situation has improved. In January, there were 31 data breaches disclosed. 40% of those breaches were reported later than the 60-day deadline.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The improvement in breach reporting time is likely due, in part, to the decision by OCR to enter into a settlement agreement with a covered entity for unnecessarily delaying the issuing of a breach report. In January, Presense Health agreed to a $475,000 settlement after delaying the issuing of breach notifications to patients/OCR.
A look at the breach notification letters sent to breach victims by covered entities shows many healthcare organizations are delaying sending notifications until the deadline approaches. It is extremely common for breach notification letters to be sent just a few days before the 60-day deadline is reached.
There are often reasons for delaying the issuing of notifications. Law enforcement may request the issuing of notifications be delayed so as not to interfere with a criminal investigation of the breach. Covered entity may not have all the facts about the breach, or it may not be apparent which individuals have been affected and need to be notified.
However, when affected individuals have been identified, breach notification letters should be sent as soon as possible. Even if notification letters are sent inside the 60-day deadline, a covered entity can still be in violation of the Breach Notification Rule.
At the Allscripts user conference in Chicago, Deven McGraw, deputy director for health information privacy for the HHS Office for Civil Rights, explained that the Breach Notification Rule sets a deadline of 60 days to report a breach and notify patients, but that is not a recommendation. She explained that the HIPAA Breach Notification Rule clearly states notice of a breach must be provided “without unreasonable delay”.
McGraw said, “You can be in violation of HIPAA Rules if you are sitting on your notification, waiting for those 60 days.”
No organization wants to have to notify patients or health plan members that their protected health information has been exposed or stolen, but it is essential that notifications are issued promptly to reduce the harm caused.
Back in January, then OCR Director Jocelyn Samuels explained the reason why breach notifications must be issued promptly when the settlement with Presense Health was announced. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The more an organization delays the sending of breach notifications, the greater the potential for patients and plan members to suffer financial losses as a result of the breach.
