The month of April proved to be a busy one for cyberterrorists, with reportedly more breaches than any previous month. The increasing rates of healthcare breaches continued in May, resulting in the exposure of almost 2 million individuals’ protected health information. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.
As cyberterrorism continues to unleash its fury on the healthcare sector, the HHS Office for Civil Rights is reminding healthcare organizations that HIPAA mandates reporting breaches within 60 calendar days -- without reasonable delay.
The HIPAA law states all covered entities and their business associates are required to report any breach of protected health information. Additionally, breach notification letters must be sent within 60 days of the discovery of a breach. As soon as the affected individuals are identified, breach notification letters should be sent. Regardless if the investigation is still ongoing, it is better to send timely notifications than delay to attain full knowledge and details of the breach. The only exception to the rule is if a request is made by law enforcement to delay notifications so as not to interfere with a criminal investigation of the breach.
It is essential to understand and implement all breach notification requirements or risk incurring financial penalties as high as $1,500,000 from state attorneys general and the HHS’ Office for Civil Rights. (See our post on breach notification.) Healthcare providers that fail to report breaches promptly are also at risk of state-based penalties. Additionally, it is critical that victims have prompt notice so they can take action to mitigate any potential harm caused by the breach.
The more an organization delays sending breach notifications, the higher the potential for individuals to suffer financial losses as a result.