HIPAA Regulations: Notification in the Case of Breach -- Timeliness of Notification - § 164.404(b)
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations |
Implementation specification: Timeliness of notification. Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
HHS Discussion and Commentary From the January 2013 Amendments Notification in the Case of Breach: Timeliness of Notification to Individuals |
Timeliness
Section 13402(d) of the Act and the implementing regulations at § 164.404(b) require covered entities to notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach, except in certain circumstances where law enforcement has requested a delay. Under this rule, the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. A covered entity is expected to make the individual notifications as soon as reasonably possible after the covered entity takes a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice to the individual.
The 60 days is an outer limit and therefore, in some cases, it may be an “unreasonable delay” to wait until the 60th day to provide notification.
Overview of Public Comments
While some commenters generally were supportive of this provision in the interim final rule, others argued that the 60-day timeframe for notification to individuals is unreasonable and requested more time, such as 120 days, to provide the notifications.
Some commenters argued that the clock on the 60-day timeframe should not begin to run until after a covered entity has completed its investigation and determined that a breach has occurred. Another commenter expressed the need for clarification about the types of delays in notifying individuals that would be considered reasonable and whether a covered entity’s resources would be taken into account in determining whether any delay was reasonable.
Final Rule
We retain § 164.404(b) in this final rule without modification. This is the standard expressly provided for in the statute and we otherwise do not believe it necessary or prudent to extend the timeframe. Covered entities and business associates have been operating under this timeliness standard since the issuance of the interim final rule and we believe a longer time period to notify individuals of breaches of unsecured protected health information could adversely impact affected individuals and the ability to mitigate adverse consequences. For the same reasons, we continue to provide that the time period begins to run when the incident becomes known, not when it is determined that a breach as defined by the rule has occurred. There is sufficient time within this standard both to conduct a prompt investigation of the incident and to notify affected individuals.
With respect to what constitutes a reasonable versus unreasonable delay within the 60-day timeframe, such determinations are fact specific and there are many factors that may be relevant, including the nature of the breach, number of individuals affected, and resources of the covered entity.
HHS Description and Commentary From the Interim Breach Rule Notification in the Case of Breach: Timeliness of Notification to Individuals |
Regarding timeliness of individual notifications, § 164.404(b) mirrors the statutory requirement in § 13402(d) of the Act and requires that, except when law enforcement requests a delay in accordance with § 164.412 (provision discussed below), a covered entity shall send the required notification without unreasonable delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity. Thus, provisions for timeliness should be read together with the above provisions for when a breach is treated as discovered. We expect a covered entity to make the individual notifications as soon as reasonably possible. The covered entity may take a reasonable time to investigate the circumstances surrounding the breach, in order to collect and develop the information that § 164.404(c) requires to be included in the notice to the individual. As discussed below, covered entities are also permitted to provide the required information to individuals within the required time period in multiple mailings as the information becomes available.
In response to the RFI, some commenters suggested that suspected but unconfirmed breaches should not be treated as discovered until all the facts of the breach could be confirmed. Others suggested that 60 days was an insufficient amount of time to conduct a complete investigation and send the required notifications. We disagree.
Waiting longer than 60 days to notify individuals of breaches of their unsecured protected health information could substantially increase the risk of harm to individuals as a result of the breach and decrease the ability of the individuals to effectively protect themselves from such harm. The statute and interim final rule provide that the notification must be provided without unreasonable delay and in no case later than 60 calendar days. The purpose of this period is to give covered entities and business associates time to conduct a prompt investigation into the incident to identify and collect the information needed to provide meaningful notice to the individual about what happened. Thus, the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in this rule.
Further, the duration of an investigation is limited by the statute and interim final rule’s requirement that any delay be reasonable – the investigation cannot take an unreasonable amount of time. Thus, if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay. Further, the 60 days is an outer limit and therefore, in some cases, it may be an “unreasonable delay” to wait until the 60th day to provide notification. For example, if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days.
We also note that if a covered entity promptly investigates a reported breach and can swiftly conclude that there was no breach, then the covered entity need not send out breach notifications. For example, where a laptop with unsecured protected health information is initially reported by an employee to be stolen but is discovered the next day in another secure office within the covered entity, then the covered entity need not send out breach notifications.