Cyber security is the new frontline of a data breach. Increased use of internet, cloud storages and technology in the medical field makes the industry susceptible to data breach. A study released by the U.S. State and Federal Government Cybersecurity in 2017, has identified the healthcare industry among the most vulnerable to cyber-attack, ranking it below food industries and retail.

‘Time’ is of utmost importance when addressing breach notifications. The data Breach Notification Rule allows providers 60-day to notify patients and unnecessary delays are punishable by the law.  For example, when “Presence Health” reported a breach of physical protected health information (PHI) of 836 of its patients to OCR 104 days after the breach was discovered, it had to pay a $475,000 fine to OCR exclusive of its legal fees and Public Relations damages the company suffered.  For further discussion regarding unnecessary delays you may refer to our previous article entitled “Unnecessary Delays in Patient Notification Constitutes Violation of HIPAA Breach Notification Rule.”

Because of the high costs associated with unnecessary delays, covered entities must take steps to prepare for the inevitable to mitigate their financial losses. The 60-day period starts running from the time a breach is discovered or should have been discovered (i.e., when a reasonable diligence would have made it known to the covered entity that a breach has occurred). Under these rules, it is possible that when a breach is discovered the entity has less than 60 days to notify patients.

Therefore, it is recommended that all covered entities take special care in negotiating their business associate agreements and implementing robust policies and procedures to monitor, identify, notify and report breaches of PHI.