Data Encryption Software: Does HIPAA / HITECH Really Give You 60 Days For Patient Notification?.

  • 60 Calendar Days from Discovery

  • Without Unreasonable Delay and Multiple Mailings

  • The Siteman Cancer Center Takes 55 Days

If you are a HIPAA-covered entity, there is a particular rule you have to follow if you have not used data encryption like AlertBoot: the Data Breach Notification Rule.

The Notification Rule essentially states that you are given up to 60 calendar days (not business days) to notify people in the event of a data breach involving patient data (i.e., protected health information).  The Notification Rule must be followed even if you are in compliance with the HIPAA Security Rule but suffer a data breach.  Long story short: if you used encryption software, safe harbor from the Notification Rule is extended to you; if not, you must notify anyone potentially impacted, no ifs or buts.

But, does HITECH really give you 60 calendar days?

60 Calendar Days from Discovery

Yes, HITECH does give you 60 calendar days (and again I emphasize that this is not business days).  However, it’s not as cut and dry.  According to the Department of Health and Human Services (HHS):

…except when law enforcement requests a delay…a covered entity shall send the required notification without unreasonable delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity. [Federal Register, August 24, 2009, p.42749.  My emphases]

As you see, there are a number of conditions.  First, the rule gets bent a little if law enforcement thinks that going public with the case is a bad idea.  Furthermore, it’s not 60 days since the breach, it’s 60 days since the breach is discovered.

While I won’t quote it, that last condition also has a condition.  If it turns out that if it took forever to discover the breach because a covered entity was being lax in performing security audits and whatnot, HHS will essentially void that “since discovery” clause.

The most important part of the above quote, though, is the emphasis on “without unreasonable delay.”  I don’t think a lot of people take this condition to heart.

Without Unreasonable Delay and Multiple Mailings

It behooves administrators for a HIPAA-covered entity to take a good look at the HHS’s opinions on the matter of data breaches and notifications.  The 60-day limit is an “upper limit” and covered entities are expected to contact patients ASAP.

Protestations that the full extent of the problem hasn’t yet been diagnosed is not a valid argument, either.  In the same Federal Register entry (pp.42749 – 42750), the following observations are given:

…covered entities are also permitted to provide the required information to individuals within the required time period in multiple mailings as the information becomes available.

The ultimate purpose of these notifications is to allow affected patients to protect themselves from potential harm.  As such, HHS is giving covered entities a way to give patients less information than is necessary while offering them legal respite from accusations of “not revealing the complete picture.”

At the end of the day, it seems to be the HSS’s position that it’s more important to let patients know that they should be on the lookout, rather than letting them know why they should be on the lookout, and I agree.  Plus, consider all these other opinions in the Federal Register (all emphases mine):

“Others suggested that 60 days was an insufficient amount of time to conduct a complete investigation and send the required notifications. We disagree. Waiting longer than 60 days to notify individuals of breaches of their unsecured protected health information could substantially increase the risk of harm to individuals as a result of the breach and decrease the ability of the individuals to effectively protect themselves from such harm.”

“…if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay.”

“…if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days.”

That last one brings me to the following heading….

The Siteman Cancer Center Takes 55 Days

The Siteman Cancer Center, a joint venture between Washington University and Barnes-Jewish Hospital, is being sued by one Ms. Rita Barricks because her identity was stolen after an unencrypted laptop was filched from the hospital.

The theft took place on December 2, 2010 and Barricks was contacted on January 28, 2011.  The time frame here is 55 days, well within the 60 calendar-day deadline.  The question is, though, did the Siteman Cancer Center know enough to contact patients soon after December 2?

And if so, did waiting until the last possible minute be grounds for losing a class action lawsuit?  I guess we’ll have to let the courts decide it.

(Disclaimer: I’m not a lawyer).

Related Articles and Sites:

Comments (0)

Let us know what you think