The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that all covered entities must notify the HHS’ Office for Civil Rights of a breach of unsecured protected health information and issue notification letters to affected people without unreasonable delay and no later than 60 days after the discovery of the privacy breach.
Last month Breach Barometer reports from Protenus have that many covered entities have failed to comply with the HIPAA Breach Notification Rule and have made their breaches known to OCR after the deadline has passed.
In 2017 there has been a major improvement in reporting times. The Protenus 2017 Breach Barometer Mid-Year Review points to the fact that between January and June, it took an average of 54.5 days from the discovery of a data breach to make it known to the OCR.
A look back at the Breach Barometer report for January shows just how much the situation has improved. In January, there were 31 data breaches disclosed. 40% of those breaches were reported later than the 60-day deadline.
This identified improvement in data breach reporting time is likely a consequence of the decision by OCR to enter into a settlement agreement with a covered entity for unnecessarily delaying the issuing of a breach report. In January, Presense Health agreed to a $475,000 settlement after delaying the issuing of breach notifications to patients/OCR.
A review of the breach notification letters sent to privacy breach victims by covered entities reveals many healthcare organizations are not sending notifications until the deadline approaches. It is often the case for breach notification correspondence to be issued just a few days before the 60-day deadline.
There are often reasons for delaying the issuing of notifications including:
- Law enforcement agencies may request the issuing of notifications be delayed so as not to interfere with a criminal investigation of the privacy breach.
- The covered entity may not have all the facts about the breach and need more time to investigate
- It may not be apparent which individuals have been affected by the breach
Once affected individuals have been identified, breach notification letters should be sent. However, even if notification letters are sent inside the 60-day deadline, a covered entity may still be in violation of the Breach Notification Rule.
Deven McGraw, Deputy Director for Health Information for the HHS Office for Civil Rights explained, at the Allscripts user conference in Chicago, that the Breach Notification Rule sets a deadline of 60 days to report a breach and notify patients, but that is not a recommendation. She stated that the HIPAA Breach Notification Rule explicitly states that notice of a breach must be provided “without unreasonable delay”.
She added, “You can be in violation of HIPAA Rules if you are sitting on your notification, waiting for those 60 days.”
While no organization wishes to have to notify patients or health plan members that their protected health information has been revealed or obtained without permission, but it is remains vitally important that notifications are issued promptly to reduce the damage experienced.
In January, OCR Director at the time, Jocelyn Samuels outlined the reason that breach notifications must be issued promptly when the settlement with Presense Health was announced. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The longer that an organization delays the sending of breach notifications, the greater the potential for patients and plan members to suffer financial losses due to the breach.