DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Breaches Must be Reported No Later Than 60 Days After Discovery. Is HIPAA Unreasonable, Though?

Posted on May 2, 2019 by Dissent

HealthITSecurity dives into an issue that both this site and Protenus have often addressed:  the gap between when entities first become aware of a breach or that something likely happened, and the date on which they send notifications to affected patients.  In some cases, entities’ disclosures and notifications are more than 60 days after they first “discover” a breach, if we apply HIPAA’s definition of when a breach is “discovered.”  But perhaps that definition needs to recognize real-world limitations on compliance?

While HealthITSecurity repeats that HIPAA is clear and firm on the no-later-than-60-days requirement, and while they get statements from experienced attorneys on what the rule means and requires, their article fails to address the real-world issue that attorneys Jeff Drummond, Matt Fisher and other HIPAA experts have often raised with me:  if the entity, despite their best effort, cannot timely figure out which patients were impacted in a breach, then they don’t know whom to notify, do they? How can you notify people you haven’t identified yet?

Maybe by Day 58 you can figure out which employees’ email accounts were compromised by phishing or some other compromise (and maybe you can’t figure even that out by then!) but figuring out exactly which emails were in that account that exposed particular patients’ PHI might not be that simple.  This site has been advocating for entities to reduce their storage of patient info in employee email accounts, which could help reduce the number and scope of reportable breaches, but in the present climate, the reality is that there is still a lot of ePHI in employee email accounts, and that is not easy to investigate to determine who needs to be notified and what types of PHI were involved for each individual.

I can see notifying HHS/OCR within 60 days of first discovery that there’s been an incident and telling them that it’s under investigation, but if the entity immediately hires a forensics firm and outside help and yet still can’t quickly figure out who’s affected, what, exactly, does HIPAA and OCR expect them to do to comply with the 60-day rule, and is it reasonable?  If an entity’s system is locked up by ransomware and so is their backup, what does the rule require them to do within 60 days of discovering that their system is locked up if they can’t decrypt their files and have no other backup?

Is there any room for common sense? Can we say that if an entity knows that ePHI is in the hands of criminals who have already stated their intention to sell it or dump it, then the entity should issue a press release alerting patients — even if it is not yet able to determine every single patient who needs to get a notification and what ePHI was involved for each patient?  And wouldn’t that media notice comply with the intention of the rule? Yes, not all patients read local media or may have moved away, but at least this would be something in the interim that would enable the entity to be considered in compliance while they are making their best efforts to prepare for individual notifications.

Yes, I know that perhaps we could waggle our fingers and say, “You shouldn’t have gotten into this mess to begin with,” but this is a widespread problem, and even HHS’s own infosecurity system didn’t pass muster on recent review.

Rather than waggle fingers, can we come up with a reasonable solution and response?

 


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
Category: Commentaries and AnalysesHealth Data

Post navigation

← NZ: Privacy breach: More than 100 Hauora Tairāwhiti patient files in Gisborne missing
Vulnerability in Tommy Hilfiger Japan DB Exposes Hundreds of Thousands of Customers to Data Theft →

2 thoughts on “Breaches Must be Reported No Later Than 60 Days After Discovery. Is HIPAA Unreasonable, Though?”

  1. John Nelson says:
    May 2, 2019 at 6:39 pm

    If the entity had taken steps to log the information necessary to prove what happened, and more importantly what did not happen, the task of identifying who to notify would be relatively simple. I am talking, of course, about audit logs, and there should be one running on any system that provides access to sensitive data.

    1. Dissent says:
      May 2, 2019 at 7:02 pm

      I wonder what percent have adequate logs or solutions to log patient name or ID and types of PHI, etc. for the contents of email or attachments to email. I’d bet an awful lot don’t.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.