The HIPAA Breach Notification Rule requires the sending of data breach notification to the Secretary of the HHS “without unnecessary delay” and not later than 60 days after the discovery date of a data breach. A similar time period applies to distributing breach notification letters to affected people.
There is a trend recently for HIPAA-regulated entities to delay the issuance of notification letters to impacted individuals and the HHS until the 60 days from the date of discovery of the breach is over. But lately increasing numbers have considered the discovery date as the completion date of the breach investigation, or perhaps the date when the complete evaluation of impacted records is completed. In a number of cases, notifications were issued several months after the first system breach was discovered. There may be legitimate reasons for overdue reporting, for example, a request from the authorities to hold off announcing a cyberattack or data theft incident to avert interfering with the police investigation; nevertheless, it is uncommon for individual notifications to refer to these police requests.
Late personal notifications quite often mean that cybercriminals had access to PHI for a number of months before notifying the affected persons about the data theft, so they lose the opportunity to do something to safeguard their personal data against any misuse. Notification letters are not sent to impacted persons until those persons were identified, however, any late sending of notifications is a compliance risk. There were a number of instances where ransomware gangs have taken patient information, published the data on their data leak websites, and for that information to be accessible for months prior to sending notification letters. In certain cases, the notification letters do not mention data theft.
Quickly sending individual notification letters and being transparent regarding the threat individuals face will enable them to take the proper action to secure their identities and could decrease the risk of a data breach lawsuit. A number of recent lawsuits have mentioned unnecessary delays in sending notifications, which has placed breach victims at a greater possibility of hurt.
Risk of Penalties for Overdue Breach Notifications
The HHS clearly explained in the guidance on its web page that the last day for submitting breach reports to the Secretary of the HHS is 60 days following the date of discovering the breach. In case the number of affected people is not known during reporting, an estimated number ought to be provided. The breach report can then be appended later on when more data concerning the breach is known. A number of covered entities send the breach report within 60 days after the detection of a cyberattack and utilize a total of 500 or 501 impacted persons as a place marker right up until the document audit is finished.
Although there were a handful of enforcement actions thus far in relation to the overdue reporting of data breaches, a missed timeline places a HIPAA-regulated entity at risk of a sizeable fine. Given the number of data breaches currently being documented to the HHS well after the 60-day due date, the OCR may consider taking enforcement action on entities’ non-compliance with the HIPAA Breach Notification Rule reporting requirements later on.