Late Data Breach Reports Could Lead to Fines for Covered Bodies

In January 2017, the Department of Health and Human Services’ Office for Civil Rights issued a communication to covered entities in relation to the late reporting of data breaches following the announcement of a settlement with Chicago-based healthcare network Presense Health.

This settlement was the first reached with a covered body purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification correspondence to patients. Presense Health agreed to settle with OCR for $475,000 to resolve the potential HIPAA breaches.

However, since the OCR released the announcement, there have been a number of times where covered entities have unnecessarily delayed the issuing of breach notification correspondence to patients and data breach reports to OCR.

The January Breach Barometer – made public by Protenus yesterday – shows that 40% of data breaches reported in January 2017 had notifications sent outside of the time limits required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule.

The loss, theft, or exposure of patients’ electronic protected health information places them at an elevated risk of suffering identity theft and fraud. When data breaches are reported quickly patients can take rapid action to protect their identities, secure their accounts, and lessen risks. However, when breach notification letters are delayed for no reason patients face a higher risk of suffering financial losses since mitigations will not be in place.