Healthcare News & Insights

Hospital waits 15 months to send data breach notification

For healthcare organizations, preventing 100% of all data breaches is likely impossible. That’s why it’s important for providers to have a data breach response plan ready — before an incident occurs. Here’s one point to keep in mind: 

Don’t wait too long to notify the affected individuals and government authorities when protected health information is stolen.

But how long is too long? That’s the question that was asked recently after a data breach that occurred at a hospital in upstate New York.

In November of 2011, officials at Samaritan Hospital in Troy, NY, discovered that a nursing employee had accessed patients’ records without authorization. Samaritan conducted an investigation and concluded that a patient’s electronic record had been improperly accessed. The hospital then disabled access for the employee responsible.

But the next step is when things got tricky. The person in question was actually employed by a nearby prison, whose inmates were treated at Samaritan Hospital. The sheriff’s office began conducting its own investigation and asked the hospital not to send any notifications yet.

Therefore, it was only recently — 15 months later after discovering the breach — that Samaritan informed the Department of Health and Human Services’ Office of Civil Rights and sent data breach notification to patients.

When should data breach notification occur?

According to HIPAA’s Breach Notification Rule, covered entities must send data breach notifications within 60 days of discovering an incident. That notification must include:

  • A description of what happened and the types of information that were compromised
  • Steps affected individuals should take to protect themselves from harm
  • A description of what the hospital is doing to investigate, prevent harm and prevent further breaches, and
  • The provider’s contact information.

However, as Samaritan officials pointed out, a law enforcement agency asked the hospital to delay the notification to avoid impeding an investigation into the breach.

While it’s unclear what enforcement actions will be taken against Samaritan Hospital, the new HIPAA rules published earlier this year create an exception to the data breach notification requirement in cases when a law enforcement official requests a delay to protect an investigation.

According to the rules, if the official provides a written statement, providers must delay notifications for the time period specified. But if a law enforcement makes a request orally, providers should document what was said and delay notifications for no more than 30 days.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

css.php