The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the HHS “without unnecessary delay” and no later than 60 days after the date of discovery of a data breach. The same time frame applies to issuing notification letters to affected individuals.
There has been a trend in recent years for HIPAA-regulated entities to wait the full 60 days from the date of discovery of the breach to issue notifications to affected individuals and the HHS, but recently growing numbers have taken the date of discovery as the date when the breach investigation has been completed, or even the date when the full review of impacted documents is finished. In some cases, notifications have been issued many months after the initial system breach was detected. There may be valid reasons for a delay in reporting, such as a request from law enforcement to delay making a cyberattack or data theft incident public to avoid interfering with the law enforcement investigation; however, it is rare for individual notifications to mention these law enforcement requests.
Delays to individual notifications oftentimes mean individuals’ PHI has been in the hands of cybercriminals for many months before they are told about the data theft and are given the opportunity to take steps to protect against any misuse of their personal data. Notification letters cannot be sent to affected individuals until those individuals have been identified, but any delay in issuing notifications is a compliance risk. There have been several cases where ransomware gangs have stolen patient data, posted the data on their data leak sites, and for that information to be available for months before notification letters are issued. In some cases, the notification letters have not made any mention of data theft.
Promptly sending individual notification letters and being transparent about the risk individuals face will allow them to take appropriate action to protect their identities and could reduce the risk of a data breach lawsuit. Several recent lawsuits have cited unnecessary delays in issuing notifications, which has placed breach victims at a much higher risk of harm.
Risk of Penalties for Delayed Breach Notifications
The HHS has made it clear in guidance on its website that the deadline for reporting breaches to the Secretary of the HHS is 60 days from the date of discovery of the breach. If the number of affected individuals is not known at the time of reporting, an estimate should be provided. The breach report can then be appended at a later date when further information about the breach is known. Some covered entities report the breach within 60 days of the detection of a cyberattack and use a total of 500 or 501 affected individuals as a place marker until the document review is completed.
While there have been few enforcement actions to date over the late reporting of data breaches, a missed deadline does place a HIPAA-regulated entity at risk of a substantial fine. Given the number of data breaches now being reported to the HHS well after the 60-day deadline, non-compliance with the HIPAA Breach Notification Rule reporting requirements could well be an area where the OCR decides to take enforcement actions in the future.
The post Concerning Healthcare Data Breach Reporting Trend appeared first on HIPAA Journal.