Thursday, June 27, 2013

One Hour to Report a Breach?

In the recently released proposed rule governing state health insurance exchanges is the requirement to report a breach within one hour of discovery. This has caused a number of consultants and attorneys to express varying opinions on this time frame.

While some may think this is an excessive demand, given that HIPAA gives covered entities 60 days for breach notification, it is not without precedent. Privacy attorney Adam Greene, a partner at Davis Wright Tremaine, points out that it is a federal requirement to report unauthorized access to a federal system within one hour.

"We considered but declined to use the definitions for [incident and breach] provided under the HIPAA regulations because the protected health information that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974."
- Proposed Rule about Privacy and Security for Health Insurance Exchanges
Others, such as independent security consultant Tom Walsh, feel a 60 minute breach reporting rule is unrealistic. He said "it differs from some state laws" and that one hour limit could create errors in conducting an investigation. What do you think? Is 60 minutes and unreasonable to report discovery of a breach? If unreasonable what time frame do you think reasonable?
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
(a) 60 Minutes to Report a Breach? -, 06/27/2013

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at