Breach Notification Rule is Violated by Delaying Breach Notifications

by | Aug 13, 2017

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that all covered entities must notify the HHS’ Office for Civil Rights of a breach of unsecured protected health information and issue notification letters to affected people without unreasonable delay and no later than 60 days after the discovery of the privacy breach.

Last month Breach Barometer reports from Protenus have that many covered entities have failed to comply with the HIPAA Breach Notification Rule and have made their breaches known to OCR after the deadline has passed.

In 2017 there has been a major improvement in reporting times. The Protenus 2017 Breach Barometer Mid-Year Review points to the fact that between January and June, it took an average of 54.5 days from the discovery of a data breach to make it known to the OCR.

A look back at the Breach Barometer report for January shows just how much the situation has improved. In January, there were 31 data breaches disclosed. 40% of those breaches were reported later than the 60-day deadline.

This identified improvement in data breach reporting time is likely a consequence of the decision by OCR to enter into a settlement agreement with a covered entity for unnecessarily delaying the issuing of a breach report. In January, Presense Health agreed to a $475,000 settlement after delaying the issuing of breach notifications to patients/OCR.

A review of the  breach notification letters sent to privacy breach victims by covered entities reveals many healthcare organizations are not sending notifications until the deadline approaches. It is often the case for breach notification correspondence to be issued just a few days before the 60-day deadline.

There are often reasons for delaying the issuing of notifications including:

  1. Law enforcement agencies may request the issuing of notifications be delayed so as not to interfere with a criminal investigation of the privacy breach.
  2. The covered entity may not have all the facts about the breach and need more time to investigate
  3. It may not be apparent which individuals have been affected by the breach

Once affected individuals have been identified, breach notification letters should be sent. However, even if notification letters are sent inside the 60-day deadline, a covered entity may still be in violation of the Breach Notification Rule.

Deven McGraw, Deputy Director for Health Information for the HHS Office for Civil Rights explained, at the Allscripts user conference in Chicago, that the Breach Notification Rule sets a deadline of 60 days to report a breach and notify patients, but that is not a recommendation. She stated that the HIPAA Breach Notification Rule explicitly states that notice of a breach must be provided “without unreasonable delay”.

She added, “You can be in violation of HIPAA Rules if you are sitting on your notification, waiting for those 60 days.”

While no organization wishes to have to notify patients or health plan members that their protected health information has been revealed or obtained without permission, but it is remains vitally important that notifications are issued promptly to reduce the damage experienced.

In January, OCR Director at the time, Jocelyn Samuels outlined the reason that breach notifications must be issued promptly when the settlement with Presense Health was announced. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The longer that an organization delays the sending of breach notifications, the greater the potential for patients and plan members to suffer financial losses due to the breach.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy