HIPAA Breach Notification Reporting Times

Breach Notification Times

HIPAA Breach Notification Reporting Times

In a recent article I broke down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, into what the Department of Health and Human Services (HHS) requires Covered Entities (CEs) AND their third-party vendors, what to do in the event of a breach of unsecured protected health information (PHI). Today I am going a step deeper into the rule in order to help you understand the requirements for the HIPAA breach notification reporting time. 

Time is on My Side

Today, it is all about HIPAA Breach Notification requirements when it comes to time.

Although The Rolling Stones said “Time Is on My Side” the truth is when an organization experiences a healthcare data breach, time is NOT on their side!! That’s because the clock starts ticking the moment an incident is detected. It doesn’t matter who finds it, the time is still the same.

How Much Time Do You Have?

The HIPAA Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own.

That’s right there are 50 different state Breach Notification Rules. I found this handy link provided by Davis Wright Tremaine LLP., it allows you to select your state of choice for a summary of data breach notification statutes for that state. https://www.dwt.com/gcp/state-data-breach-statutes

Alarm Clock

The HIPAA Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own.

That’s right there are 50 different state Breach Notification Rules. I found this handy link provided by Davis Wright Tremaine LLP., it allows you to select your state of choice for a summary of data breach notification statutes for that state. https://www.dwt.com/gcp/state-data-breach-statutes

This Includes Third-Party Vendors Too

It is all about HIPAA Breach Notification Time, yours, and your third-party vendors. CEs use Business Associate Agreements (BAAs) to identify notification timeframes for acting once a breach is discovered.

Here are some examples you should consider if a breach is discovered at your organization, or if you are notified of a breach by one of your vendors or partners, do you know your breach notification times?

Things to consider when evaluating your BAAs:

  1. If you are a CE, does your patient population encompass multiple states? Do you know what the breach notification times are for each state?
  2. If you are a third-party vendor, is the breach notification time the same for all your clients and subcontractors?
Almost every week there is a new story that involves a third-party healthcare data breach. Some of the biggest ones are making the news as I wrote this article.
Stopwatch

Remember, the breach notification time clock starts ticking the moment a breach is detected and it doesn’t matter who finds it, the time is still the same. That means you’ll want to evaluate your BAAs to verify they are in compliance with both state and federal regulations.