Under HIPAA regulations we have 60 days to notify users of a security breach where PHI has been found to have been disclosed. State laws are a little more strict with California for example being 5 days (SB541 1280.15(b)).
In the extreme example that a subcontractor of a BAA finds that data has been compromised how long does the covered entity have to get that information out? With the 60 days from the federal law it's easy to build in that time in multiple layers of BAA's (say every one has 10 days to get it up to the next level) but 5 doesn't leave hardly any time at all if it's 5 days period from time of discovery no matter who discovered it.
Aucun commentaire:
Enregistrer un commentaire