Is Speed Important When Reporting a Data Breach?


In life, it’s OK to take your time doing a lot of things, but one area where it’s not OK is reporting a data breach. This was highlighted by an Illinois health system’s $475,000 settlement over allegations it waited too long to report a data breach to patients and the government.

Presence Health uncovered a data breach Oct. 22, 2013, that affected 836 patients, but didn’t report the breach to the patients until Feb. 3, 2014, well past the Health Insurance Portability and Accountability Act requirement to notify within 60 days. The Health and Human Services Office for Civil Rights said this was the first time it had reached a settlement over the untimely reporting of a breach.

Failing to notify the OCR of the breach within 60 days isn’t a major violation, but failing to do the same for patients can lead to some serious issues, Eric Fader, an attorney with Day Pitney told me. Reporting delays can prevent patients from taking steps to protect themselves, such as changing passwords and signing up for credit monitoring services, Fader said.

The settlement sends a clear message to providers that the OCR is serious about enforcing the HIPAA breach notification rule, Colin Zick, an attorney with Foley Hoag, told me. While Presence Health doesn’t appear to have deliberately flouted the breach notification rule, the settlement reinforces the idea that the OCR considers the 60-day notification period to be meaningful, Zick said.

In addition to the $475,000, Presence Health agreed to enter into a two-year corrective action plan. Presence didn’t admit to any liability under the settlement, and the OCR said the settlement didn’t mean that Presence wasn’t in violation of HIPAA rules.

For more information, read my story here.

Stay on top of new developments in health law and regulation with a free trial to the Health Law Resource Center.

Learn more about Bloomberg Law and sign up for a free trial.