Unnecessary Delays in Patient Notification Constitutes Violation of HIPAA Breach Notification Rule

HIPAA Breach Notification Rule (45 CFR Secs. 164.400-414) requires timely notification of any reportable breach to HHS’ Office of Civil Rights and sending notification letters to affected individuals without unreasonable delay and no later than 60 days after discovery of the breach.

According to a report published by Breach Barometer in January, 40% of breaches were reported later than 60-day deadline.  On average, covered entities took 54.5 days from discovery of a breach to notify OCR.  It is also extremely common that covered entities send the breach notification letters to patients just a few days before the 60-day deadline.

Although, the Breach Notification Rule allows for a 60-day deadline for notifying patients, breach notification letters should be sent as soon as possible.  OCR has found violation of Breach Notification Rule when entities unnecessarily delayed sending patient notification letters even when the letters were sent within the 60-day period from discovery of breach.

Covered entities must be mindful to generate and send breach notification letters to patients as soon as practicable and without unnecessary delay.