When is the loss of sensitive information from a HIPAA covered entity not a HIPAA breach? When it has been protected with encryption software like AlertBoot, since the use of encryption provides safe harbor. But this is not the only scenario that fits the above description.
The other scenario, as I covered in this story involving Kaiser Permanente, is when the missing sensitive information is not PHI, such as employee information. Which is why Kaiser was able to notify the affected employees approximately six months after the HMO learned of the data breach, a far cry from HIPAA’s 60 calendar-day limit, without running afoul of HIPAA.
But, HIPAA is not the only regulation covered entities have to follow.
AG Files Complaint: California Breach Notification Law Breached
According to infolawgroup.com, the Attorney General of California has problems with the length of time it took for Kaiser to notify approximately 30,000 people. California’s data breach notification law maintains that a data breach disclosure must “be made in the most expedient time possible and without unreasonable delay.”
The problem with such a directive is, how do you define unreasonable? The people over at infolawgroup.com have an answer for that:
While California’s law does not explicitly define “most expedient time possible and without unreasonable delay”, California’s Office of Privacy Protection recommends that notice be provided within ten (10) business days of an organization’s determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Most states make an exception to local laws if they happen to overlap with federal laws (which is not surprising, seeing how federal laws always trump state laws). So, it could be that Kaiser could have ignored the ten business day recommendation for the cold, hard deadline set by HIPAA.
However, seeing how HIPAA did not apply to Kaiser on this particular breach, one wonders if they really had a choice. Of course, strictly speaking, Kaiser didn’t have to do anything within ten business days. After all, it’s not written in stone; it is a recommendation. On the other hand, there are instances where you do stick to something regardless of whether it’s law or not. For example, if the AG leaves you a message to please call back regarding lost personal information, chances are that you will call back even if it’s not required by law.
The point is, if the organization that is in charge of data privacy issues is making a recommendation, chances are that you should follow it. And if not, at least have a reasonable and valid reason why. And, try not to veer to far from said recommendation.
Nearly six months later, when ten days is recommended? One assumes that will be problematic.
Interesting Issues for Breach Notification in California
In addition, infolawgroup.com has identified tolling and staggered notifications as “interesting issues for breach notification lawyers.”
Tolling, as far as I can tell, has something to do regarding the modification of the statute of limitations (generally extending it). In other words, Kaiser may not be in as much trouble if they can show that they legitimately needed six months to contact people about the data breach. In fact, based on the position that the AG has taken,
one might reasonably conclude that the CA AG viewed the effort of obtaining the drive and the delay associated with that effort as not unreasonable delay [the hard drive’s loss was determined in September 2011 and the drive was recovered in December 2011].
The AG, however, appears to have problems with the approximate two-month delay between when the hard drive was recovered and when people were notified, which brings us to staggered notifications.
The implication is that, even if an organization doesn’t have the complete picture, they should start contacting those who they know have been affected. This assessment makes sense. As I remarked in the original Kaiser breach post:
HHS stuck to the 60 days, noting that the point behind breach notification letters is to let patients know of the breach and give them a chance to protect themselves. The longer one takes to notify patients, the greater the chances that they will be notified after being victimized. And what’s the point in that?
Related Articles and Sites: