If you experience a HIPAA breach, make sure you investigate and report the breach "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach" or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.

On October 22, 2013, Presence St. Joseph Medical Center ("Presence Health") discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR's press release is available here.

There are several lessons to be learned. First, covered entities must take the reporting deadlines seriously. For notification to affected individuals, the breach must be reported "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." (45 CFR 164.404(b)). If the breach involves 500 or more individuals, the covered entity must notify HHS at the time it notifies affected individuals; otherwise, it may wait to notify HHS until no later than 60 days after the end of the calendar year. (Id. at 164.408(b)-(c)). If the breach involves more than 500 residents in a state, the covered entity must notify local media "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." (Id. at 164.406(b)). The time period begins to run from the time that any member of the covered entity's workforce (other than the person committing the breach) knew or by exercising reasonable diligence should have known that the breach occurred. (Id. at 164.404(a)(2)). As explained in the Omnibus Rule commentary:

the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. A covered entity is expected to make the individual notifications as soon as reasonably possible after the covered entity takes a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice to the individual. The 60 days is an outer limit and therefore, in some cases, it may be an ‘‘unreasonable delay'' to wait until the 60th day to provide notification.

(78 FR 5648).

Second, covered entities may have an obligation to timely report missing protected health information even if there is no indication that the information was improperly accessed. Covered entities who drag out the investigation or delay making the report in the hope that the information will turn up are at risk for failing to report in a timely fashion.

Third, in the Presence Health resolution agreement, the OCR noted that this was not the first time that Presence Health had delayed in making reports. According to the OCR, Presence Health had also failed to make timely reports in 2015 and 2016. That appears to have been an aggravating factor leading to the $475,000 settlement.