Fines for HIPAA violations can be as high as $2 million. That could change

Linda Barbour thought she was more interested in the Change Healthcare cyberattack than most. Having worked as a medical director for several large health insurance companies and having experienced the switch fiasco herself as a rehab doctor with a private practice in Kansas City, she thought that if her data had they been exposed in that breach in February, it would have been notified by now.

Barbour finally received a letter from Change, in October. “To get it at this point, with this delay, there’s really nothing I can do because it’s been so long,” he said.

By law, companies have 60 days to notify individual customers if their personally identifiable health data was compromised. Missing that deadline could attract fines from HHS, but it’s unclear whether that deadline applied to Change because it didn’t contract directly with patients and because of a lack of clarity about how the Department of Health and Human Services defines when it starts the clock later. a breach