Breach Notification Laws Impose High Penalties

Data Breach

When there is a data security breach, there are state and federal data breach notification laws that places time limits on when those who are affected must be notified. A failure to make a timely notification of the data breach can be quite costly. Several state data breach notification laws and some federal data breach notification laws, such as the Health Insurance Portability and Accountability Act (HIPAA), impose civil fines for untimely notification.

It is important for data breaches to be reported to those who may have been affected in a timely manner, so that those with exposed personal data can take steps to protect themselves from further harm. The sooner a person with compromised data learns about a privacy breach, the sooner steps can be taken to mitigate any possible repercussions of the data exposure, such as checking credit reports and obtaining credit or identify theft monitoring services.

An Illinois Health System Slammed With Settlement for Slow Notification

According to a recent article on Bloomberg BNA, an Illinois Health System was recently saddled with a hefty settlement after taking too long to report a data breach to the proper entities under the breach notification laws of HIPAA. Presence Health learned that it had been subject to a data breach involving paper records in October of 2013, but waited until early February 2014 before reporting the data breach to those who were affected. This nearly four-month delay well exceeded the 60-day window to make notifications under the breach notification laws of HIPAA.

Data breaches are not to be taken lightly in Illinois, particularly when the data breach involves confidential patient information. Presence Health claims that the notification delay was due to a miscommunication and made no admission of liability when it agreed to pay $475,000 in its recent HIPPA settlement. In addition to the money, Presence Health also agreed to provide a two-year corrective action plan.

The HIPAA Breach Notification Rule, codified as 45 CFR §§ 164.400414, requires HIPAA covered entities and their business associates to issue notifications to those affected by a data breach within 60 days of the discovery of the data breach. The notification must further include:

  • An explanation of the breach, identification of the type of data that was compromised in the breach,
  • Information on how those affected by the breach can take steps to protect themselves,
  • An explanation of what the HIPAA covered entities or the business associates is doing to address and correct the data breach, and
  • Contact information so that those who are affected by the breach can learn more information.  

Consult With a Data Breach Lawyer

There is no time to lose once a data security breach has been identified. A majority of states have data breach notification laws that set forth specific timeframes in which notifications need to be made. There are costly consequences for those entities who do not take notification of data breach situations seriously. 

Extra, Extra!
Recent Posts

Trademarks: What is the Difference Between the Circle R and TM Symbols?

Trademarks: What is the Difference Between the Circle R and TM Symbols?

Trademark

The Circle R and the TM symbols both relate to trademarks and both can be physically placed on products, packaging, advertising materials, websites, etc. The Circle R symbol is an “R” enclosed in a circle (®). While both are trademark-related symbols, there are different eligibility requirements for use, meanings, and implications. Here is a quick […]

Read more about Trademarks: What is the Difference Between the Circle R and TM Symbols?

Is Your E-Commerce Advertising in Compliance With Existing Laws?

Is Your E-Commerce Advertising in Compliance With Existing Laws?

Internet Law

E-commerce businesses must comply with federal and State-level advertising laws and regulations. This is true of any business. But e-commerce businesses face special challenges because there is a whole array of potential methods of innocently, accidentally, or intentionally violating advertising laws. These include the potential to engage in false and deceptive advertising practices, such as […]

Read more about Is Your E-Commerce Advertising in Compliance With Existing Laws?

Put Revision Legal on your side