HIPAA Breach Notification Timeline
The HIPAA breach notification rule timeline is a period of time during which covered entities and business associates that have suffered a data breach must undertake certain activities.
What is the HIPAA Breach Notification Timeline?
The steps that must be undertaken during the HIPAA breach reporting and notification timeline depend upon the severity of the breach, and whether the breach was committed by a covered entity or a business associate.
What is the HIPAA Breach Notification Timeline for a Covered Entity?
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary of the Department of Health and Human Services, and, in certain circumstances, to the media.
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically.
HIPAA Breach Notification Timeline “Day Rule” 1: The 90-day Rule:
If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days, or, by providing the notice in major print or broadcast media where the affected individuals likely reside.
The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.
HIPAA Breach Notification Timeline “Day” Rule 2: The 60-day Rule:
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible:
- A brief description of the breach
- A description of the types of information that were involved in the breach
- The steps affected individuals should take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.
The “Rule of 500”:
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities can provide this notification in the form of a press release to appropriate media outlets serving the affected area.
As is the case with individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. The media notification must include and must include the same information required for the individual notice.
Regardless of the size of the breach, covered entities must notify the Secretary of the Department of Health and Human Services of the breach. Covered entities must notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.
The HIPAA breach reporting and notification timeline for doing so depe
nds upon the size of the breach.
If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.
If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
What is the HIPAA Breach Notification Timeline for a Business Associate?
Following their discovery of a breach, business associates must notify covered entities if a breach occurs at or by the business associate.
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified (per the HIPAA breach reporting and notification timeline above), the covered entity may delegate the responsibility of providing individual notices to the business associate (the covered entity is not required to do this, however).
Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
Regardless of which entity provides the individual notice, the same deadlinesas those stated above for covered entities above apply.
In addition, regardless of who notifies individuals, the business associate, under HIPAA, must provide notice of a breach to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. This notification must be provided, among other reasons, simply so that the covered entity can monitor and track the business associate’s job performance; a BA cannot “hide” a breach from its contract partner, the covered entity.
To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
Covered entities complying with HIPAA reporting are responsible for notifying the media and HHS of business associate breaches.