Part 1: “Unreasonable” Sources of Anxiety for Privacy and Compliance Professionals
Despite their ambiguity—or perhaps because of—you’ll find the terms “promptly”, “without unreasonable delay”, and “timely” (providing an exhaustive list would be…exhausting!) in regulations governing data breach notification and in Business Associate Agreements (BAAs). As a result, privacy and compliance officers are unsure of their breach notification timeframes when concrete direction is desperately needed. Many businesses often end up spending hundreds, or thousands, of dollars per hour for compliance attorneys to help interpret and negotiate notification timeframes outlined in BAAs.
Stop and think about the entire healthcare industry and imagine how much data is shared. For every relationship where PHI is created, maintained, or transmitted on behalf of a Covered Entity (CE), there is a BAA. Even a small, regional or independent healthcare provider can be managing hundreds of vendors with BAAs. Nearly every healthcare organization has its own perspective on the definition of what constitutes a reasonable, appropriate response time.
It is critical to understand what these terms mean and who makes that determination. HIPAA’s Breach Notification Rule states that the CE or Business Associate (BA) must “provide the notification…without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
Now introduce state laws, where each state mandates how quickly individuals must be notified of a breach. It’s very unlikely that these state mandates are in sync with the notification timetables in existing agreements.
Further, is there a double standard when it comes to reporting? Do organizations define “prompt” reporting differently when they’re being reported to, versus when they have to do the breach reporting?
Which leads to another question: When does the clock actually start for notifications? HIPAA says, i) the first day on which such breach is known to any employee, officer or agent of the BA or CE other than the person committing the breach; or ii) by exercising reasonable diligence, would have been known to the BA or CE.
The definition of “discovery” is another source of anxiety for privacy and compliance officers, especially in large organizations where the notification clock could be ticking without their knowledge. Privacy officers can only hope they— and their business partners — learn about breaches from someone inside their organization and not a third party or the media!
I have helped negotiate BAAs that say the notification requirement starts when the Privacy Officer discovers or is made aware of the breach. However, I’m sure that it would be difficult for a CE to honor that clause if the time it took for the BA’s Privacy Officer to learn of and report a breach was unreasonably long, in their opinion.
Abby Mitchell is a privacy professional at CoverMyMeds, where she has served in multiple capacities as the company grew and then merged with McKesson Corporation in 2017. Her primary focus is information technology across the healthcare industry and how privacy, legislation, information security, product development, and contracts influence its development and management. She developed the company’s privacy program and created policies for privacy, compliance, risk management and security. Prior to joining CoverMyMeds, Abby worked at MemberHealth, one of the first Medicare Part D plans.