The HIPAA Breach Notification Rule necessitates the issuance of a data breach notification letter to the Secretary of the HHS “without unnecessary delay” and no longer than 60 days following the discovery date of a data breach. An identical period of time is applicable to sending breach notification letters to affected people.
There is a pattern lately for HIPAA-regulated entities to put off the issuance of notification letters to impacted individuals and the HHS up to the point that 60 days from the date of discovery of the breach is over. However, not too long ago many have used the discovery date as the end date of the breach investigation, or actually the date when the entire assessment of affected files is done. In a number of instances, notifications were given several months after the preliminary system breach was seen. There may be legit reasons for late reporting, for instance, a request from the police to postpone reporting a cyberattack or data theft occurrence to prevent interfering with the authorities’ investigation; nonetheless, it is unusual for personal notifications to state these federal authorities’ requests.
Late individual notifications in many cases mean that cybercriminals had access to PHI for a number of months before notifying the affected persons regarding the data theft, therefore they miss the chance to take action to safeguard their personal information against any improper use. Notification letters is not mailed to impacted persons until those people were identified, nevertheless, any overdue sending of notifications is a compliance issue. There were many cases where ransomware groups have compromised patient data, shared the information on their data leak web pages, and for that data to be out there for months prior to issuing notification letters. In certain instances, the notification letters do not discuss data theft.
Immediately delivering personal notification letters and being transparent regarding the danger people face will make it possible for them to take the best-suited step to secure their identities and could lessen the risk of a data breach legal action. Numerous current lawsuits have reported needless delays in distributing notifications, which has put breach victims at a higher probability of injury.
Possibility of Fines for Overdue Breach Notifications
The HHS plainly mentioned in the guidance on its site that the due date for sending breach notifications to the Secretary of the HHS is 60 days after the date of learning about the breach. When the number of affected people is unknown during the time of reporting, an estimation must be given. The breach report could then be appended at a later time when additional details concerning the breach are available. Certain covered entities distribute the breach notification in 60 days following the discovery of a cyberattack and make use of a total of 500 or 501 impacted persons as a place marker until finally the document analysis is done.
Though there were a small number of enforcement actions at this point relative to the delayed reporting of data breaches, a neglected due date puts a HIPAA-regulated entity in danger of a large penalty. Considering the number of data breaches today being submitted to the HHS well beyond the 60-day timeline, the OCR may look at taking enforcement action on entities non-adherence with the HIPAA Breach Notification Rule reporting requirements down the road.