HIPAA-Covered Entities Violate the Breach Notification Rule When Delaying Breach Notifications

Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), covered entities need to notify the HHS’ Office for Civil Rights when a breach of unsecured protected health information (PHI) occurs. At the same time, they need to notify the affected people with no unreasonable delay and within 60 days after discovering the breach.

Protenus Breach Barometer reports last year showed that a lot of covered entities struggled to adhere to the HIPAA Breach Notification Rule. Many did not notify OCR about their breaches before the deadline.

In the 2017 Breach Barometer report by Protenus, there was a remarkable improvement in the reporting of breaches. From January to June, the average reporting time to OCR is 54.5 days after discovering a breach. In January, out of the 31 data breaches, only 40% were reported past the 60-day deadline.

The breach reporting time improved partly because of the decision of OCR to have a settlement agreement with covered entities whenever there’s unnecessary delay of the issuance of a breach notification. Because of this agreement, Presense Health had to pay a $475,000 settlement fee due to a delay in issuing breach notifications to patients and OCR last January.

Many covered entities are delaying the sending of breach notification letters to breach victims until the due date. It is really typical for breach notification letters to be issued only a few days prior to the 60-day due date. There are some reasons why the issuance of notifications is delayed. Law enforcement may ask for a delay to avoid interference with any criminal investigation associated with the breach. Covered entities might not have all the information concerning the breach, or it might not be evident which persons were affected and should be informed.

Nevertheless, when impacted persons were identified, breach notification letters must be delivered immediately. Even though notification letters are delivered within the 60-day due date, a covered entity could still be considered to have violated the Breach Notification Rule because the rule plainly says that notifications of a breach ought to be delivered without unreasonable delay.

No firm would like to send notification letters to patients or health plan members about the exposure of their protected health information, however it is necessary that notifications are given immediately to minimize the resulting harm. People require prompt advice regarding a breach of their PHI to allow them enough time to take action and mitigate the possible harm brought on by the breach. When the sending of breach notifications is delayed, there is a greater chance that patients and plan members will experience financial losses because of the breach.