DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did Samaritan Hospital violate HIPAA?

Posted on March 2, 2013 by Dissent

Over on Healthcare IT News, Erin McCann has a bit more on the Samaritan Hospital breach I blogged about yesterday. I found some of her assertions interesting, and because I’m not sure I agree with her on her reading of HIPAA’s requirements, thought I would discuss them here.  Erin bases most of her commentary on the media coverage in the Troy Record, just as I had done. The hospital did not respond to two inquiries I sent it yesterday seeking further information and details on the incident.

Erin writes:

According to officials, when the 238-bed Samaritan hospital discovered the breach back in November 2011, hospital officials notified the sheriff’s office, who then asked the hospital to refrain from notifying patients and the OCR, the Troy Record reports. “If a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply,” Streeter added.

But did the sheriff ask them not to notify HHS/OCR? There’s nothing in the Troy Record story that the sheriff asked the hospital not to notify HHS, and the story states that the hospital made that decision on the advice of their legal counsel. We do not know why did their legal counsel advised against notification, but even if the hospital agreed to delay notifying patients, it makes no sense that HHS would not have been notified as HHS can protect the report from public disclosure if it is under active investigation.

Erin also writes:

However, according to the Breach Notification Rule, issued August 2009 as part of HIPAA, covered entities must notify patients of a breach “in no case later than 60 days following the discovery of a breach […]”

Not quite. The breach notification rule actually states (emphasis added by me):

Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach

where § 164.412 states:

Law enforcement delay.

If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall:

(a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or

(b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.

In commenting on the provision, HHS wrote:

Section 164.412(a), which is based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required. In these instances, the covered entity is required to delay the notification, notice, or posting for the time period specified by the official.

Similarly, § 164.412(b), which is based on 45 CFR 164.528(a)(2)(ii) of the Privacy Rule, requires a covered entity or business associate to temporarily delay a notification, notice, or posting if a law enforcement official states orally that a notification would impede a criminal investigation or cause damage to national security. However, in this case, the covered entity or business associate is required to document the statement and the identity of the official and delay notification for no longer than 30 days, unless a written statement meeting the above requirements is provided during that time. We interpret these provisions as tolling the time within which notification is required under §§ 164.404, 164.406, 164.408, and 164.410, as applicable.

As far as I can tell, then, because so far, I’ve been unable to get an unequivocal statement from HHS on this, law enforcement can toll the notification requirement and there is nothing in the law that really requires notification by some outside time limit.

If I’m right in my interpretation, that’s a failure in the law, and the hospital did not violate HITECH with respect to delaying patient notifications.

So, despite what Erin wrote about fines possibly being in Samaritan Hospital’s future, the only fineable offense I see (and I am not a laywer) might be their failure to notify HHS of the breach. Of course, when HHS investigates, they may find other problems, but sadly, I do not see where the hospital violated HITECH by delaying notification for so long if the sheriff really asked them not to and they documented his requests.

Category: Health Data

Post navigation

← Lucile Salter Packard Children's Hospital avoids $250,000 penalty for late breach notification (updated)
lulzsec.com Sub domain hacked or was it →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.