Providing notice of a vendor’s HIPAA breach is often difficult, but it can be particularly hard when information is delayed. Sometimes an investigation takes months to complete, and the HIPAA deadline for providing notice may have passed before a health plan or health care provider even knows who was affected by the breach and is entitled to notice. Plan administrators and health care providers will need to consider how and when they can provide appropriate notice to individuals in these situations, taking into account HIPAA’s requirements, the terms of the applicable business associate agreement, concerns about causing undue alarm, and other factors.
You are the HIPAA privacy official of a hospital or health plan (a covered entity under HIPAA). You receive an email from a vendor that handles protected health information (a business associate), informing you that one month ago an unauthorized actor infiltrated its information systems. The intruder may have gained access to information about your organization. The vendor learned about the incident two weeks ago and immediately shut off that access, implemented patches to its systems to prevent further intrusion, and launched a forensic analysis to determine the customers and individuals affected by the incident and the nature of the information that was accessed. The vendor does not know how long that will take, but expects it will be months.
How do you respond to this news in view of HIPAA’s requirement to provide timely notice of the breach to affected individuals?
Timing Requirements for Business Associates
HIPAA requires a business associate to notify a covered entity of a breach without unreasonable delay, but within 60 days of the date the business associate discovers the breach. 45 CFR 164.410(b). Discovery occurs not only when the business associate actually learns of the breach, but when it should have learned of the breach if it exercised reasonable diligence. 45 CFR 164.404(a)(2). Note, however, that some business associates will contractually agree to notify the covered entity sooner than the maximum deadline required by HIPAA; see “Business Associate Agreements” below for more information on how your business associate agreement may impact this deadline.
The preamble to the HIPAA regulations recognizes that a business associate may not know all of the information that it is required to disclose to the covered entity when it learns of the breach, but states that “a business associate should not delay its initial notification to the covered entity of the breach in order to collect information needed for the notification to the individual.” 78 Fed. Reg. 5565, 5656. The business associate is to supplement its initial notice at a later time, even if it provides the additional information after the 60-day period has elapsed and after notice has already been provided to affected individuals.
But neither the regulations nor the preamble address the situation where the missing information involves who is affected. Until that information is known, neither the business associate nor the covered entity knows who needs to be notified.
Timing Requirements for Covered Entities
A covered entity must follow a timeframe similar to the one that applies to business associates. It is required to notify affected individuals without unreasonable delay, but within 60 days of discovering the breach. 45 CFR 164.404(b). In this case, your discovery occurs when the business associate informs you of the breach.
Assuming that it has worked with appropriate diligence, the business associate may have met its initial notification obligations under HIPAA, but it places you in a situation where you need to make important decisions. HIPAA sets an outside limit of 60 days for you to notify affected individuals, but you probably will not know who has been affected by the breach at that time.
Do you promptly provide a general notice to all who may have been affected by the breach, even if the number actually affected was small or the information accessed relatively trivial? That notice may cause undue anxiety and trigger many phone calls and questions that neither you nor your vendor can answer. Whether an individual was affected or not, that individual may seek reassurance and may expect immediate protection, such as credit monitoring, but your vendor may be prepared to pay for that protection only for those who were substantially affected.
On the other hand, if you wait for further information, some individuals – will remain unaware that their information has been exposed, delaying the time when they could take their own protective measures.
The HIPAA regulations impose a duty on covered entities to “mitigate, to the extent practicable, any harmful effect that is known to the covered entity” of a breach. 45 CFR 164.530(f). In that regard, the covered entity may consider what is known and what is practical in this situation.
Based on the limited information provided by your business associate in this example, you do not know that any particular individual has been affected by the breach until you receive more information. And you do not know the sensitivity of the information that may have been accessed. The disclosure of a Social Security Number, for example, is of much greater concern than the disclosure of an address or birthdate. You should continue to reach out to your vendor to learn what you can. Even if the investigation has not determined all of the individuals affected, it may have narrowed the affected group or determined that Social Security Numbers and credit card information was or was not revealed.
You do know that a suspicious actor was involved, which is a cause of concern and a factor that would favor an earlier, if incomplete notice.
The Business Associate Agreement
Your business associate agreement with the vendor may play a large role in how you address the breach. Although HIPAA makes a covered entity responsible for notifying affected individuals, the business associate agreement may contractually place that obligation on the business associate. This is especially true when the business associate has a direct relationship with individuals affected by the breach.
The business associate agreement may also shorten timeframes for notification, sometimes requiring notice within a few days or a period measured by 24-hour increments. While your vendor may be meeting the standard for notification set forth in the HIPAA regulations, it may have failed to meet its obligations under the business associate agreement. Because the clock for providing notice to affected individuals starts with the notice that you receive from your vendor, an earlier notice requirement in the business associate agreement could advance the date that you or the business associate have to notify affected individuals.
The business associate agreement may have other implications, for example, setting forth the business associate’s duty to mitigate harm or to serve as the contact person for a breach. It may establish whether the business associate or covered entity has responsibility to determine whether an incident actually constitutes a HIPAA breach.
The responsibilities of the parties can be complicated by a number of additional factors. For example:
- If the business associate is the agent of the covered entity, the covered entity will be deemed to have discovered the breach when the business associate discovers the breach. It will not have an additional 60 days to provide notice.
- If the business associate has engaged a subcontractor, and the subcontractor is responsible for the breach, there is another layer of responsibility, notifications, and potential delays added to the mix.
- If the breach is large enough, HIPAA will require the covered entity to notify the Department of Health and Human Services (HHS) and the media when it notifies affected individuals. If the breach is small, no notice to the media is required, and notice to HHS may be logged and submitted in an annual report of all the year’s breaches within 60 days after the end of the year.
- State laws may also require breach notification.
- If law enforcement is involved and believes that notice will impede its investigation into the incident, the business associate or covered entity may need to delay providing notice. This delay may serve to provide the business associate more time to identify the affected individuals.
No one likes to deliver bad news, and there is a natural and practical reluctance to cause unnecessary worry if you don’t know whether someone has been affected. Those practicalities need to be weighed against the risks of the harm that may come from a delay and of a potential failure to meet applicable HIPAA rules and business associate agreement obligations. In situations like this, you should carefully review your business associate agreement to assess where responsibility lies and make sure that your decisions are based on up-to-date information, so you can make reasoned decisions. As with so many actions under HIPAA, you should document the basis for your actions.