Over on Healthcare IT News, Erin McCann has a bit more on the Samaritan Hospital breach I blogged about yesterday. I found some of her assertions interesting, and because I’m not sure I agree with her on her reading of HIPAA’s requirements, thought I would discuss them here. Erin bases most of her commentary on the media coverage in the Troy Record, just as I had done. The hospital did not respond to two inquiries I sent it yesterday seeking further information and details on the incident.
Erin writes:
According to officials, when the 238-bed Samaritan hospital discovered the breach back in November 2011, hospital officials notified the sheriff’s office, who then asked the hospital to refrain from notifying patients and the OCR, the Troy Record reports. “If a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply,” Streeter added.
But did the sheriff ask them not to notify HHS/OCR? There’s nothing in the Troy Record story that the sheriff asked the hospital not to notify HHS, and the story states that the hospital made that decision on the advice of their legal counsel. We do not know why did their legal counsel advised against notification, but even if the hospital agreed to delay notifying patients, it makes no sense that HHS would not have been notified as HHS can protect the report from public disclosure if it is under active investigation.
Erin also writes:
However, according to the Breach Notification Rule, issued August 2009 as part of HIPAA, covered entities must notify patients of a breach “in no case later than 60 days following the discovery of a breach […]”
Not quite. The breach notification rule actually states (emphasis added by me):
Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach
where § 164.412 states:
Law enforcement delay.
If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall:
(a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
(b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.
In commenting on the provision, HHS wrote:
Section 164.412(a), which is based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required. In these instances, the covered entity is required to delay the notification, notice, or posting for the time period specified by the official.
Similarly, § 164.412(b), which is based on 45 CFR 164.528(a)(2)(ii) of the Privacy Rule, requires a covered entity or business associate to temporarily delay a notification, notice, or posting if a law enforcement official states orally that a notification would impede a criminal investigation or cause damage to national security. However, in this case, the covered entity or business associate is required to document the statement and the identity of the official and delay notification for no longer than 30 days, unless a written statement meeting the above requirements is provided during that time. We interpret these provisions as tolling the time within which notification is required under §§ 164.404, 164.406, 164.408, and 164.410, as applicable.
As far as I can tell, then, because so far, I’ve been unable to get an unequivocal statement from HHS on this, law enforcement can toll the notification requirement and there is nothing in the law that really requires notification by some outside time limit.
If I’m right in my interpretation, that’s a failure in the law, and the hospital did not violate HITECH with respect to delaying patient notifications.
So, despite what Erin wrote about fines possibly being in Samaritan Hospital’s future, the only fineable offense I see (and I am not a laywer) might be their failure to notify HHS of the breach. Of course, when HHS investigates, they may find other problems, but sadly, I do not see where the hospital violated HITECH by delaying notification for so long if the sheriff really asked them not to and they documented his requests.