Report HIPAA Breaches Without Delay
Thursday, January 19, 2017
HIPAA, Health, Logo

Related Practices & Jurisdictions
Print Mail Download i

If you experience a HIPAA breach, make sure you investigate and report the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach” or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.

On October 22, 2013, Presence St. Joseph Medical Center (“Presence Health”) discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR’s press release is available here.

There are several lessons to be learned. First, covered entities must take the reporting deadlines seriously. For notification to affected individuals, the breach must be reported “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” (45 CFR 164.404(b)). If the breach involves 500 or more individuals, the covered entity must notify HHS at the time it notifies affected individuals; otherwise, it may wait to notify HHS until no later than 60 days after the end of the calendar year. (Id. at 164.408(b)-(c)). If the breach involves more than 500 residents in a state, the covered entity must notify local media “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” (Id. at 164.406(b)). The time period begins to run from the time that any member of the covered entity’s workforce (other than the person committing the breach) knew or by exercising reasonable diligence should have known that the breach occurred. (Id. at 164.404(a)(2)). As explained in the Omnibus Rule commentary:

the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. A covered entity is expected to make the individual notifications as soon as reasonably possible after the covered entity takes a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice to the individual. The 60 days is an outer limit and therefore, in some cases, it may be an ‘‘unreasonable delay” to wait until the 60th day to provide notification.

(78 FR 5648).

Second, covered entities may have an obligation to timely report missing protected health information even if there is no indication that the information was improperly accessed. Covered entities who drag out the investigation or delay making the report in the hope that the information will turn up are at risk for failing to report in a timely fashion.

Third, in the Presence Health resolution agreement, the OCR noted that this was not the first time that Presence Health had delayed in making reports. According to the OCR, Presence Health had also failed to make timely reports in 2015 and 2016. That appears to have been an aggravating factor leading to the $475,000 settlement.

For more information on responding to HIPAA breaches, see our article, “Responding to HIPAA Breaches."

Copyright Holland & Hart LLP 1995-2024.

Current Legal Analysis

More from Holland & Hart LLP

Fifth Circuit Court Invalidates Overtime Rule That Increased Exempt Salary Levels
by: Mark Wiletsky
Can a Terminated Lease Be Reinstated?
by: David B. Hatch
Increased Sanctions on Venezuela Place Heavy Burden on Compliance Programs at Financial Institutions
by: Jeremy P. Paner
Who are the Partners Now?
by: Rebecca Klock Schroer
SEC Urges "Robust" Cybersecurity Best Practices
by: Brian N. Hoffman
Good News for Surviving Spouses Seeking to Elect Portability
by: Chelsea May
Only Certain Types of Speech Are Protected In The Workplace
by: Steven M. Gutierrez
Housing Crisis in Colorado May Get Worse: Anti-Growth Initiatives Slated for Lakewood and Colorado
by: Rebecca Dow
Trump Administration Proposes Delay of Fiduciary Rule to July 1, 2019
by: Beth Nedrow
New Nevada Employment Laws – Part 2: Non-competes and Domestic Violence Leave
by: Dora V. Lane

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins