The article explains that not all U.S. medical practices are bound by HIPAA regulations. For those that are, breaches of protected health information (PHI) must be reported within 60 days of discovery. The distinction of 'discovered' is crucial, starting the notification clock when a breach is known or should have been known. The article highlights that while delayed notifications may occur, there appears to be a lack of enforcement from HHS OCR concerning timely breaches, evidenced through examples like the Hospital Sisters Health System's ransomware attack and its delayed patient notifications.
Hospital Sisters Health System (HSHS) in Illinois experienced a ransomware breach, discovering the attack on August 27, 2023, yet notifying patients only weeks later.
Under HIPAA, entities have 60 days from discovering a breach to notify affected parties, but they may face no significant repercussions for delayed notifications.
Collection
[
|
...
]