The HIPAA Breach Notification requirements must be followed by all covered entities and business associates to avoid financial penalties that the Department of Health and Human Services’ Office for Civil Rights (HHS OCR) may impose. In addition to the HIPAA requirements, U.S. states also implement their own breach notification laws. That is why aside from sending notifications to breach victims and the HHS, the state attorney general’s office should be notified as well, usually within the HIPAA set deadline.
In general, the financial penalty for a violation of the HIPAA Breach Notification Rule can cost as much as $1,500,000. It could even go higher when the delay is more than 12 months. In 2017, the first HIPAA-covered entity that was charged with a HIPAA Breach Notification Rule violation is Presense Health. The Office for Civil Rights asked for the amount of $475,000 for the delay in sending out notifications. Presense Health only issued breach notifications three months after the discovery of the breach, which exceeded the 60-day maximum time frame allowed by HIPAA to issue notifications.
Covered entities should take note that breach notifications must be issued as soon as all the required information is available. Do not wait until the 60-day notification period is about to expire. The only acceptable reason for delay is when law enforcement requests it for the purpose of investigation. Sometimes, the OCR also charges a HIPAA violation penalty for delaying notifications even if the covered entity did not go beyond the 60-days allowed time period for sending notices. Several cases of HIPAA breaches have been charged with financial penalty recently for unnecessarily delaying notifications.
It is the covered entity’s responsibility to keep up-to-date with state breach notification laws, which frequently change. As with the OCR, the state attorney general may also charge financial penalties for delaying breach notifications until the HIPAA set 60-day limit.