Breach Notification – Timing is Important!

One of the most common HIPAA violations by health care providers is the failure to follow the requirements of the Breach Notification Rule in terms of when proper notification must be made. While it may seem simple, each year providers are penalized for making breach notification outside of the specified time frames for notification to the affected individual, the Secretary, and, if required, to the media.

Whenever there is a discovery of an improper disclosure of protected health information that constitutes a breach, a time clock begins to run and it is essential that providers be keenly aware of that time clock; failure to meet the notification time requirements is a per se violation of the Breach Notification Rule that can lead to fines and penalties.

There are three timeframes to be considered in a breach notification situation: notice to the impacted individual, the Office for Civil Rights and to the media. These timeframes can be affected by the size of the breach, and each is triggered by the date on which the breach was discovered. Not every impermissible disclosure is a breach, so it is vitally important that a provider not call something a breach until they are sure it truly is a breach of protected health information. Once something is called a breach, the clock begins to run. Having said that, the notification period cannot be artificially extended by simply not identifying a disclosure as a breach. Providers have a reasonable time which to conduct an investigation but once that investigation confirms the disclosure as a breach, the provider should make note of the applicable time standards.

If a breach impacts less than 500 people, notification to the impacted individual(s) must be made within 60 days of the date of discovery of the breach and notification to the Office for Civil Rights must be made no later than 60 days after the end of the calendar year in which the breach was discovered. Personally, I recommend providers report breaches as soon as they happen rather than waiting until after the end of the calendar year; no advantage is gained by delaying notification to the OCR. If the provider has insufficient or out of date contact information for 10 or more impacted individuals, the provider must put a notice on its website for at least 90 days or provide notice through a major print or broadcast media in the area in which the individuals likely reside.

If the breach impacts 500 or more individuals, proper notice must be given to impacted individuals within 60 days of the discovery of the breach and notice to the OCR must also be made within 60 days of discovery. With breaches impacting over 500 people providers do not have the option to delay notice until after the end of the calendar year. With large breaches, notice to the media is required, again, within 60 days of the date on which the breach was discovered.

Providers tend to bend over backwards to find a way to classify an impermissible disclosure as something other than a breach that requires notification, but this can be a very dangerous practice. Taking the “head in the sand approach” by not recognizing a disclosure as a breach almost guarantees a provider will fail to meet the timeframes set forth in the Breach Notification Rule.