What is the 60-day timeframe?

The 60-day time frame refers to how long HIPAA covered organizations have to report a breach. According to the Congressional Research Services, “The HIPAA breach notification program was established in 2009, pursuant to the HITECH Act. Under the program, covered entities and their business associates must notify all individuals affected by a breach of unsecured ePHI without unreasonable delay, but no later than 60 days after discovering the breach.” The discovery of the breach, in this case, is defined as the first day on which the breaches are known to the covered entity or business associate or when it would have been known had reasonable diligence been exercised. 

The purpose of the timeframe

The 60-day timeframe protects individuals from the potential harm delays in a breach might cause. This ensures that they are informed in the face of threats like identity theft, which can impact individuals after a breach. The timeframe also helps the organization heighten awareness while allowing reasonable time to investigate the breach and prepare notifications.

How it impacts healthcare organizations 

The compressed timeframe provided by the Breach Notification Rule sets the requirements that healthcare organizations should follow in their response plan. Healthcare organizations have to set procedures in place to maintain both incident response and risk assessments, which require an investment of resources. 

Failure to adequately provide notice could also lead to penalties and legal action, as it could be considered a HIPAA violation. 

Considerations for the 60-day timeframe

1. The 60-day clock starts from the date the breach is first known or should have been known through reasonable diligence.
2. Notifications should be issued as soon as possible, even if it's within the 60-day window. Penalties can occur for delays, even if the notification is sent within 60 days.
3. Depending on the breach, notifications may need to go to affected individuals, the Department of Health and Human Services (HHS), and the media.
4. The notification must include specific information about the breach.
5. Individuals should be notified by first-class mail or email, depending on their preference.
6. The organization must also inform the Secretary of the Department of HHS about the breach and notify prominent media outlets serving the relevant location.
7. The organization can notify HHS annually, within 60 days after the end of the calendar year in which the breach occurred.
8. If a third-party service provider experiences a breach, they must notify their client (the vendor of personal health records) without unreasonable delay and within 60 days of discovering the breach.
9. A well-defined incident response plan is necessary to ensure compliance with the 60-day rule.
10. The only exception to pausing notification is when the organization is under federal review or has been asked by the government not to notify individuals.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What happens if a breach impacts more than 500 individuals?

When a breach impacts more than 500 individuals, the covered entity must notify the HHS and a prominent media outlet serving the state or jurisdiction where the breach occurred.

What happens if a breach impacts fewer than 500 individuals?

In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.

Are there any exceptions to the breach notification rule?

Notification is not required if PHI is secured through encryption, provided the encryption keys are kept on a separate device from the data they encrypt or decrypt.