Breach Notification Times

Ep. 85: Know The Rules! Breach Notification Times

Breach Notification Times – Do You Know Them?

Last week I broke down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, what the Health and Human Services (HHS) requires Covered Entities (CEs) AND their Business Associates (BAs) to do in the event of a breach of unsecured protected health information (PHI).

Time Is on My Side

Time Is on My Side

Today it is all about Breach Notification Times. Although The Rolling Stones said “Time Is on My Side” the truth is when an organization experiences a healthcare data breaches, time is NOT on their side!! That’s because the clock starts ticking the moment a breach is detected. It doesn’t matter who finds it, the time is still the same.

How much time do you have?

The HHS Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own.

50 different State Breach Notification Rules

That’s right 50 different State Breach Notification Rules. I found this cool tool by Davis Wright Tremaine LLP., that provides a full summary of data breach notification statue for each state. Check it out @

Does Anyone Really Know What Time It Really Is?

Some of you will remember the Chicago song “Does Anyone Really Know What Time It Really Is” that went…

Does anybody really know what time it is (I don’t)
Does anybody really care (care about time)

Chicago 1969

Why do I keep bringing up time again and again? It is all about breach notification time, yours and your BAs. CEs use Business Associate Agreements (BAAs) to identify notification time-frames for acting once a breach is discovered.

Here is some example you should consider if a breach is discovered at your organization, or if you are notified of a breach by one of your vendors or partners, do you know your breach notification times?

Things to consider when evaluating your BAAs:

  • If your organization is a CE, does your patient population encompass multiple states? Do you know what the notification times are for each state?
  • If your organization is a BA, is the notification time the same for all your clients and vendors?
  • If a BAA states that BAs need to notify it (as the CE) of a breach within two calendar days, how can the BA comply if its sub-BA has 20 calendar days to report a breach to the BA?

Almost every week there is a new story that involves a third-party healthcare data breach. Some of the biggest ones are making the news as I write this very episode.

Remember, the breach notification time clock starts ticking the moment a breach is detected and it doesn’t matter who finds it, the time is still the same. That means you’ll want to evaluate your BAAs to verify they are in compliance with both state and federal regulations.

Now sure how to begin or where to start? Let us guide you through your third-party risks, requirements, and responsibilities. Schedule a call today!