The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that covered organizations to advise the HHS’ Office for Civil Rights of any violation of private health information and issue notification correspondence to affected people as soon as is unreasonable and no later than 60 days after the identification of the breach.
July’s Breach Barometer reports from Protenus indicated that many covered organizations have had difficulty in complying with the HIPAA Breach Notification Rule and have disclosed their violations to OCR after the deadline has expired.
2017 has seen a major reduction in average reporting times. The Protenus 2017 Breach Barometer Mid-Year Review outlines that between January and June, it took a mean time of 54.5 days from the identification of a breach to advise the OCR.
Looking back to the January Breach Barometer it is clear just how much the situation has improved. In January, there were 31 data violations reported. 40% of those violations were disclosed after than the 60-day deadline had expired.
The reduction in breach reporting time is likely due, partly, to the agreement of a settlement between the OCR to and a covered organization for unnecessarily delaying the issuing of a breach report. In January, Presense Health agreed to pay a $475,000 settlement after delaying the issuing of HIPAA breach notifications to patients/OCR.
A review of the breach notification letters issued to breach victims by covered organizations shows many healthcare organizations are delaying sending notifications until the deadline is. It is extremely common for breach notification letters to be sent just a few days before the 60-day deadline is reach close.
There are often good reasons for organizations delaying the issuing of notifications. Law enforcement may ask the issuing of notifications be delayed so as not to obstruct a criminal investigation into the breach. The covered organization may not have the full facts about the breach, or it may not be apparent which people have been affected and need to be advised.
However, when affected people/patients have been located, breach notification letters should be broadcast as soon as possible. Even if notification letters are broadcast inside the 60-day deadline, a covered organization can still be in violation of the Breach Notification Rule.
Speaking at the Allscripts user conference in Chicago, Deven McGraw, deputy director for health information privacy for the HHS Office for Civil Rights, said that the Breach Notification Rule sets a deadline of 60 days to report a breach and notify patients, but that is not a recommendation or guidline. She remarked hat the HIPAA Breach Notification Rule clearly states notice of a breach must be submitted “without unreasonable delay”.
McGraw added, “You can be in violation of HIPAA Rules if you are sitting on your notification, waiting for those 60 days.”
No entity wants to have to warn patients or health plan subscribers that their protected health data has been exposed or stolen, but it is important that notifications are issued quickly to reduce the harm experienced.
In January 2017, then OCR Director Jocelyn Samuels explained the reason behind why breach notifications must be issued quickly when the settlement with Presense Health was made publicd. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The more a covered entity delays the broadcasting of breach notifications, the greater the possibility for patients and plan members to be hit with financial losses due to the breach.