Confidentiality, Privacy and Security

60 days...Notification to the Secretary

  • 1.  60 days...Notification to the Secretary

    Posted 18 days ago
    Just posting a share of a response to someone that asked if one might get into trouble if they wait until 60 days to contact the Secretary of a breach affecting >500 individuals.  Briefly, there are a few posts, including from the OCR about the expectation of notifying the Secretary without undue delay.

    However, the regulations are have up to 60 days. OCR may question why you waited 60 days...but the upside is that you will be held to that 60 day window.  The worst I've seen is a technical assistance letter that essentially requests that you notify them without undue delay...but that's about it.

    The one case that is often used in webinars and in articles about not delaying involves an incident where the entity notified OCR well beyond the 60 day window.

    Thanks to the person that asked this.  There's a lot of info out there...and it's easy to run into something that may not be necessarily consistent with the regs or may send mixed messsages.

    Frank Ruelas
    Compliance Professional