While some may think this is an excessive demand, given that HIPAA gives covered entities 60 days for breach notification, it is not without precedent. Privacy attorney Adam Greene, a partner at Davis Wright Tremaine, points out that it is a federal requirement to report unauthorized access to a federal system within one hour.
"We considered but declined to use the definitions for [incident and breach] provided under the HIPAA regulations because the protected health information that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974."Others, such as independent security consultant Tom Walsh, feel a 60 minute breach reporting rule is unrealistic. He said "it differs from some state laws" and that one hour limit could create errors in conducting an investigation. What do you think? Is 60 minutes and unreasonable to report discovery of a breach? If unreasonable what time frame do you think reasonable?
- Proposed Rule about Privacy and Security for Health Insurance Exchanges
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) 60 Minutes to Report a Breach? - www.HealthInformationSecurity.com, 06/27/2013