HIPAA Regulations: Notification in the Case of Breach -- Law Enforcement Delay - § 164.412
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
|
HHS Regulations |
If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall:
(a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
(b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.
| HHS Description and Commentary Law Enforcement Delay - § 164.412 |
Section 13402(g) of the Act provides that if a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed in the same manner as provided under 45 CFR 164.528(a)(2) of the Privacy Rule in the case of a disclosure covered under such section. Section 164.412 implements § 13402(g) of the Act and thus, requires a covered entity or business associate to temporarily delay notification under §§ 164.404, 164.406, 164.408, and 164.410 if instructed to do so by a law enforcement official.
We retain the definition of “law enforcement official” currently used in the Privacy Rule at § 164.501, which defines such person as “an officer or employee of any We note, however, that with respect to the customers to whom it provides PHRs directly, the vendor must comply with all other FTC rule requirements, including the requirement to notify the FTC within ten business days after discovering the breach. state agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.” However, in this interim final rule, we move the definition up to §164.103 so that it will apply to this subpart D as well as continue to apply to subpart E (Privacy Rule).
Section 164.412(a), which is based on the requirements of 45 CFR 164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of notification in situations in which a law enforcement official provides a statement in writing that the delay is necessary because notification would impede a criminal investigation or cause damage to national security, and specifies the time for which a delay is required. In these instances, the covered entity is required to delay the notification, notice, or posting for the time period specified by the official.
Similarly, § 164.412(b), which is based on 45 CFR 164.528(a)(2)(ii) of the Privacy Rule, requires a covered entity or business associate to temporarily delay a notification, notice, or posting if a law enforcement official states orally that a notification would impede a criminal investigation or cause damage to national security. However, in this case, the covered entity or business associate is required to document the statement and the identity of the official and delay notification for no longer than 30 days, unless a written statement meeting the above requirements is provided during that time. We interpret these provisions as tolling the time within which notification is required under §§ 164.404, 164.406, 164.408, and 164.410, as applicable.