You Jin Shin
Information Privacy Law
Professor Ira Rubinstein
February 17, 2017
In January 2017, the U.S. Department of Health and Human Services (HSS) settled an enforcement action for “failure to timely report the breach of unsecured protected health information (PHI)”. Considering the HIPAA Breach Notification Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009, it is notable that this rule was enforced for the first time in 2017. This seems to suggest HSS is taking an increasingly strong stance on enforcement against privacy breaches.
Under the notification requirement, individual notifications must be provided no later than “60 days following the discovery of a breach.” The notification requires the covered entity to provide affected individuals with instructions on how they can protect themselves, providing for quick protection measures. If notified early enough, protection measures may be taken before the stolen data is misused. Furthermore, by ensuring information exchange between HSS and entities on the event of a breach, this rule may help the HSS identify trends and changing ways of data privacy breaches more efficiently. It also ensures that companies are held accountable, and that they do not sit on their breaches for a long time.
There is also a deterrence factor – if the 60 day requirement is enforced strictly, it is likely that groups considering their options after their discovery of the breach may be encouraged to report because they would have increased “counts” of liability if they pass the 60 day timeline.
On the other hand, it does not appear that there is additional penalty imposed on the breach of the notification requirement – Presence Health Network settled by paying $465,000 and implementing a corrective action plan. Hence it is unclear if this rule actually has any bite.