DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

Did Samaritan Hospital violate HIPAA?

Posted on March 2, 2013November 1, 2015 by Dissent

Over on Healthcare IT News, Erin McCann has a bit more on the Samaritan Hospital breach I blogged about yesterday. I found some of her assertions interesting, and because I’m not sure I agree with her on her reading of HIPAA’s requirements, thought I would discuss them here.  Erin bases most of her commentary on the media coverage in the Troy Record, just as I had done. The hospital did not respond to two inquiries I sent it yesterday seeking further information and details on the incident.

Erin writes:

According to officials, when the 238-bed Samaritan hospital discovered the breach back in November 2011, hospital officials notified the sheriff’s office, who then asked the hospital to refrain from notifying patients and the OCR, the Troy Record reports. “If a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply,” Streeter added.

But did the sheriff ask them not to notify HHS/OCR? There’s nothing in the Troy Record story that the sheriff asked the hospital not to notify HHS, and the story states that the hospital made that decision on the advice of their legal counsel. We do not know why did their legal counsel advised against notification, but even if the hospital agreed to delay notifying patients, it makes no sense that HHS would not have been notified as HHS can protect the report from public disclosure if it is under active investigation.

Erin also writes:

However, according to the Breach Notification Rule, issued August 2009 as part of HIPAA, covered entities must notify patients of a breach “in no case later than 60 days following the discovery of a breach […]”

Not quite. The breach notification rule actually states (emphasis added by me):

Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach

where § 164.412 states:

Law enforcement delay.

If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall:

(a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or

(b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.

In commenting on the provision, HHS wrote:

Section 164.412(a), which is based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required. In these instances, the covered entity is required to delay the notification, notice, or posting for the time period specified by the official.

Similarly, § 164.412(b), which is based on 45 CFR 164.528(a)(2)(ii) of the Privacy Rule, requires a covered entity or business associate to temporarily delay a notification, notice, or posting if a law enforcement official states orally that a notification would impede a criminal investigation or cause damage to national security. However, in this case, the covered entity or business associate is required to document the statement and the identity of the official and delay notification for no longer than 30 days, unless a written statement meeting the above requirements is provided during that time. We interpret these provisions as tolling the time within which notification is required under §§ 164.404, 164.406, 164.408, and 164.410, as applicable.

As far as I can tell, then, because so far, I’ve been unable to get an unequivocal statement from HHS on this, law enforcement can toll the notification requirement and there is nothing in the law that really requires notification by some outside time limit.

If I’m right in my interpretation, that’s a failure in the law, and the hospital did not violate HITECH with respect to delaying patient notifications.

So, despite what Erin wrote about fines possibly being in Samaritan Hospital’s future, the only fineable offense I see (and I am not a laywer) might be their failure to notify HHS of the breach. Of course, when HHS investigates, they may find other problems, but sadly, I do not see where the hospital violated HITECH by delaying notification for so long if the sheriff really asked them not to and they documented his requests.

Related Posts:

  • MD: X-Ray Films Stolen From Good Samaritan Hospital
  • NY: Claim That Sheriff's Agency Accessed…
  • FL: St. Mary's and Good Samaritan hospitals suffered…
  • NY: Suits continue following Samaritan Hospital breach
  • OR: Samaritan Health investigates improper disposal…

Post navigation

← Lucile Salter Packard Children's Hospital avoids $250,000 penalty for late breach notification (updated)
lulzsec.com Sub domain hacked or was it →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Proliance Surgeons notifying 437,392 patients after ransomware attack earlier this year
  • After $50 Million Breach, KyberSwap Faces Hacker’s Shocking Demands
  • Hendersonville city employees target of cybersecurity breach
  • Ukrainian gets 8-year sentence for running marketplace for Americans’ data
  • Some city data was stolen during cyber breach; full scope remains unknown, Long Beach says
  • More than 1 million Michiganders affected by Welltok cyberattack
  • Line operator says 440,000 personal records leaked in data breach
  • Ransomware group ‘Black Basta’ has raked in more than $100 million -researchers

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net