Most people in the industry believe HIPAA requires notification of a breach to the federal government and affected individuals within 60 days of discovery (unless preempted by state requirements). However, HIPAA’s breach notification timeline is actually “without unreasonable delay,” but not longer than 60 days after the breach was discovered.
Therefore, 60 days is the absolute maximum amount of time permitted, but a shorter timeframe might be reasonable, and thus, ‘required.’
This can be a challenging requirement to comply with, as what is really required is highly fact specific. There is little – if any – formal guidance to assist in determining what type of delay might be reasonable and what might be unreasonable. The best tactic is to not focus on the 60 day aspect, but to do a swift and efficient incident investigation and breach determination. To do so within the 60 day window, and to notify the respective regulators and affected individuals within that timeframe, would eliminate any question whether the notification was reasonable or not. The worst case would be to have been able to effectuate notice sooner, but instead notice was delayed until closer to the 60 day ceiling. That would seemingly be an unreasonable delay, and could result in increased penalties.
Breach notification is never a pleasant situation, especially not for those potentially affected. HIPAA is drafted to provide timely notification to those affected, while still allowing flexibility to conduct a thorough and proper investigation. While HIPAA may allow up to 60 days for notification, a shorter timeframe is often reasonable most appropriate.