DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did Samaritan Hospital violate HIPAA?

Posted on March 2, 2013 by Dissent

Over on Healthcare IT News, Erin McCann has a bit more on the Samaritan Hospital breach I blogged about yesterday. I found some of her assertions interesting, and because I’m not sure I agree with her on her reading of HIPAA’s requirements, thought I would discuss them here.  Erin bases most of her commentary on the media coverage in the Troy Record, just as I had done. The hospital did not respond to two inquiries I sent it yesterday seeking further information and details on the incident.

Erin writes:

According to officials, when the 238-bed Samaritan hospital discovered the breach back in November 2011, hospital officials notified the sheriff’s office, who then asked the hospital to refrain from notifying patients and the OCR, the Troy Record reports. “If a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply,” Streeter added.

But did the sheriff ask them not to notify HHS/OCR? There’s nothing in the Troy Record story that the sheriff asked the hospital not to notify HHS, and the story states that the hospital made that decision on the advice of their legal counsel. We do not know why did their legal counsel advised against notification, but even if the hospital agreed to delay notifying patients, it makes no sense that HHS would not have been notified as HHS can protect the report from public disclosure if it is under active investigation.

Erin also writes:

However, according to the Breach Notification Rule, issued August 2009 as part of HIPAA, covered entities must notify patients of a breach “in no case later than 60 days following the discovery of a breach […]”

Not quite. The breach notification rule actually states (emphasis added by me):

Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach

where § 164.412 states:

Law enforcement delay.

If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall:

(a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or

(b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.

In commenting on the provision, HHS wrote:

Section 164.412(a), which is based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required. In these instances, the covered entity is required to delay the notification, notice, or posting for the time period specified by the official.

Similarly, § 164.412(b), which is based on 45 CFR 164.528(a)(2)(ii) of the Privacy Rule, requires a covered entity or business associate to temporarily delay a notification, notice, or posting if a law enforcement official states orally that a notification would impede a criminal investigation or cause damage to national security. However, in this case, the covered entity or business associate is required to document the statement and the identity of the official and delay notification for no longer than 30 days, unless a written statement meeting the above requirements is provided during that time. We interpret these provisions as tolling the time within which notification is required under §§ 164.404, 164.406, 164.408, and 164.410, as applicable.

As far as I can tell, then, because so far, I’ve been unable to get an unequivocal statement from HHS on this, law enforcement can toll the notification requirement and there is nothing in the law that really requires notification by some outside time limit.

If I’m right in my interpretation, that’s a failure in the law, and the hospital did not violate HITECH with respect to delaying patient notifications.

So, despite what Erin wrote about fines possibly being in Samaritan Hospital’s future, the only fineable offense I see (and I am not a laywer) might be their failure to notify HHS of the breach. Of course, when HHS investigates, they may find other problems, but sadly, I do not see where the hospital violated HITECH by delaying notification for so long if the sheriff really asked them not to and they documented his requests.


Related:

  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
  • Texas Enacts Electronic Health Record Data Localization Law
  • United Australia Party confirms ransomware attack, personal data and email correspondence exposed
Category: Health Data

Post navigation

← Lucile Salter Packard Children's Hospital avoids $250,000 penalty for late breach notification (updated)
lulzsec.com Sub domain hacked or was it →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
  • RansomedVC is back — and is still attacking its competitors
  • Texas Enacts Electronic Health Record Data Localization Law
  • United Australia Party confirms ransomware attack, personal data and email correspondence exposed
  • Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy
  • 70% of healthcare cyberattacks result in delayed patient care, report finds

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.