Concerning Healthcare Data Breach Reporting Trend -

"There has been a trend in recent years for HIPAA-regulated entities to wait the full 60 days from the date of discovery of the breach to issue notifications to affected individuals and the HHS, but recently growing numbers have taken the date of discovery as the date when the breach investigation has been completed, or even the date when the full review of impacted documents is finished."

Why this is important: HIPAA requires a covered entity to notify DHHS and affected individuals "without unnecessary delay" and no later than 60 days after the date of discovery of a data breach. But, when is the "date of discovery of a data breach?" Is it the day the breach is discovered, or is it the day that the investigation into the breach is completed? A recent trend has emerged where covered entities are waiting 60 days from the date of the completion of the investigation into the data breach to notify DHHS and affected individuals. To wait until 60 days after an investigation is completed creates a significant compliance and liability risk. Even waiting the full 60 days after the date of discovery of the breach can still result in a claim for untimely notification. As we saw in our last edition of Decoded, a putative class brought a claim for untimely notification under HIPAA due to the covered entity waiting only 29 days from the discovery of the breach to notify affected individuals. DHHS has recognized this issue and clearly stated on its website that the 60-day notification period begins from the date of discovery of the breach and not 60 days after the completion of an investigation into the breach. Late reporting and notification risks a substantial fine, so strict compliance is a must.