I’ve been encouraging (ok, nagging) HIPAA lawyer Jeff Drummond of Jackson Walker to write a post explaining what the 60-day notification provision really means in HIPAA, as I’ve always had a lot of questions about it, such as:
- Does the 60-day clock start when the covered entity (CE) first discovers that they might have a breach, or does the clock only start after they confirm that they have a reportable breach? What does “discovery” actually mean?
- If there’s a Business Associate (BA) involved, does the clock start when the BA first discovers the breach or does it start when they first notify the CE?
- What if the BA notifies the CE but can’t yet tell them which patients need to be notified? Is the clock paused?
And there were more questions.
So when OCR recently announced a settlement with Presence Health for failure to provide timely notice, I renewed my encouragement (ok, nagging). And I’m thrilled to see that Jeff actually has written a post on the topic, starting with the language of 45 CFR 165.404(b), which requires each affected individual to be notified of the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
Nimbly calculating the potential costs of Presence Health’s delay in notifying patients (104 days to notify), Jeff writes:
OCR noted that each of these tardy reminders is a separate HIPAA violation, and each day beyond the regulatory deadline is a separate violation. That’s at least 131 violations, perhaps more if you count each individual who didn’t get a notification as a separate violation. That’s a potential maximum penalty of almost $200 million. Fortunately, OCR only fined Presence $475,000.
This should be a reminder to covered entities that they are not just obligated to provide notice, they are obligated to provide timely notice. But what does that mean, really?
Noting that the incident is “discovered” for the entity when it’s known to a workforce member of the entity or the entity’s “agent,” Jeff’s next paragraphs offer some great advice to covered entities:
A reportable breach is an unauthorized access, acquisition, use or disclosure of unsecured PHI; however, the definition of breach gives 3 specific exceptions and one general exception (the “low risk of compromise” exception). That’s a whole other blog post, but suffice it to say, you often won’t know right off the bat whether you have a “breach” or something that might, upon further investigation, prove to be either a breach or a non-breach. So, given that, when does the clock start?
I’d say it depends on the incident. If it’s clear that the incident will meet the definition of a breach when the investigation is over, then it’s a breach. If an employee’s car is burgled and a laptop containing unencrypted PHI was stolen, you should consider that the covered entity “discovered” the “breach” when the employee discovered the burglary. On the other hand, suppose you discover a security incident where the IT department discovers some malware that is capable of exporting data, including PHI. However, you don’t have any reason to believe that data has been exported yet. It takes the IT department (and maybe a forensic vendor) a week to determine that yes, in fact, PHI was exported. I would argue that the “breach” is “discovered” when the exfiltration is found. However, keep in mind that the presumption goes to the breach, so (i) your confidence must be very high that the incident will not turn out to be a breach and (ii) your investigation must be swift and thorough.
So it’s when a member of your workforce (or your “agent,” whatever that means) discovers the breach that the clock starts. So far, so good, but what if your workforce can’t determine whether data was exfiltrated and you bring in a firm to help you. And suppose they discover on Day X that the data were exfiltrated but don’t notify you (the CE) of that until Day X+Y. When did the clock start? On Day X or on Day X+Y? Jeff writes that
the discovery point will be when the vendor discovers if the vendor is considered the “agent” of the entity under federal common law, but will be the date the vendor notifies the entity if the vendor is not its”agent.”
There’s that word “agent” again. I’ve heard of BA’s but what’s this bit about “agents” and “federal common law?”
Read Jeff’s post on HIPAA Blog. It’s chockfull of information for you to consider in trying to determine your responsibility to notify and when you must notify by. And given that 45 CFR 165.404(b) requires notification “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach,” what happens if your BA takes more than 60 days after they discover their breach to notify you and they are your “agent?” Yes, you should read Jeff’s post and then take another hard look at your BAA. In the meantime, I’ll encourage (ok, nag) Jeff to explain how we would know whether a business associate or vendor is our “agent” or not.