When a Law Enforcement Official Asks You to Delay Breach Notification: A Guide to the HITECH Rule (45 CFR § 164.412)

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities and business associates are generally required to notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media following a breach of unsecured protected health information (PHI). However, 45 CFR § 164.412 provides an important exception: the ability to delay breach notifications at the request of a law enforcement official.

This provision recognizes that immediate disclosure could impede an ongoing criminal investigation or jeopardize national security. For small practices, understanding the scope, process, and documentation requirements for such delays is essential to ensure both regulatory compliance and cooperation with law enforcement.

Understanding the Law Enforcement Delay Provision

The Breach Notification Rule requires that notifications be sent without unreasonable delay and within 60 calendar days of discovery. However, § 164.412 allows for a temporary suspension of these requirements when a law enforcement official determines that notification would:

• Impede a criminal investigation

• Cause damage to national security

The rule applies to both oral and written requests from law enforcement, but the procedures differ.

When a law enforcement official provides a written statement requesting a delay in breach notification, the covered entity or business associate is required to comply with this request and delay notifying affected individuals and authorities for the specified time period. This exception is designed to protect ongoing investigations and prevent compromising law enforcement activities.

The written statement from the official must include key elements to be valid and actionable:

• The full name and official title of the law enforcement officer making the request, along with the agency they represent. This ensures the request comes from a credible and authorized source.

• A clear and specific time frame for the requested delay, indicating exactly how long the notification must be postponed.

• A concise explanation detailing why immediate notification would likely impede the investigation, jeopardize public safety, or cause damage to national security or law enforcement efforts.

Once the covered entity receives this statement, it must strictly adhere to the requested delay period and not notify affected individuals, the media, or regulatory authorities until the period expires. Failure to comply with the specified timeframe can result in noncompliance with HIPAA requirements and potential penalties.

This process balances patient privacy rights with the critical need to support effective law enforcement investigations.

In situations where a law enforcement official makes an oral request to delay breach notification, the covered entity or business associate may honor the delay for a maximum of 30 days. This allowance exists because urgent law enforcement circumstances sometimes prevent the immediate preparation of a written statement.

However, to maintain compliance under HIPAA, the oral request must be carefully documented. This documentation should include:

• The full name and official title of the law enforcement officer making the request.

• The agency or department the official represents.

• The exact date and time when the oral request was received.

• A summary of the reason provided for the delay, explaining why immediate notification would interfere with the investigation or jeopardize public safety.

If a written request is not submitted within the 30-day oral delay period, the covered entity or business associate must proceed with breach notification without further delay.

Thorough documentation of oral requests ensures accountability and transparency, demonstrating that the practice acted responsibly while respecting law enforcement needs.

Real-Life Case Study: Coordinating With Federal Investigators

In 2018, a specialty diagnostic center discovered unauthorized access to its EHR system. Initial forensics suggested the attacker was part of an organized group under federal investigation. The FBI contacted the center’s compliance officer and requested an immediate delay in notifying patients and the media to avoid tipping off the suspects.

The FBI initially made the request orally, and the center documented the call in its incident log. Within two weeks, the FBI provided a written statement requesting a 90-day delay. The center complied, and after the period expired, it issued the required notifications within the remaining allowable time.

Lesson Learned: Close coordination and meticulous documentation allowed the practice to meet both federal investigative needs and HITECH compliance obligations.

Under § 164.414(b), the burden of proof rests with the covered entity or business associate. When delaying notification at law enforcement’s request, you should maintain:

• Copies of written requests from law enforcement officials

• Detailed records of oral requests, including the official’s name, agency, and reason for the delay

• A timeline showing the date of discovery, date of the request, delay period, and date notifications were issued

• Any correspondence between the practice and law enforcement regarding the breach

Small practices may feel pressure when law enforcement officials ask for notification delays. While the regulation provides flexibility, it also requires strict adherence to procedural rules and deadlines. Failure to follow these can result in OCR enforcement actions, even if the intent was to help law enforcement.

Common Pitfalls and How to Avoid Them

Pitfall 1: Failing to Get Written Confirmation After an Oral Request

Oral requests expire after 30 days unless replaced by a written statement.

How to Avoid It: Immediately request written confirmation and track the deadline closely.

Pitfall 2: Misinterpreting the Delay Period

Some practices mistakenly believe the 60-day notification clock starts after the delay period. In reality, the total time from discovery to notification must include the delay period.

How to Avoid It: Maintain a master timeline showing both the delay and the remaining notification window.

Pitfall 3: Poor Documentation of Oral Requests

Incomplete records can leave you unable to prove that a valid request was made.

How to Avoid It: Log the official’s full name, title, agency, date, time, and stated reason for the delay.

Pitfall 4: Extending a Delay Without Proper Authorization

You cannot extend a delay beyond the period specified in a written request without a new written statement.

How to Avoid It: Calendar deadlines and confirm any extensions in writing from law enforcement.

Pitfall 5: Confusing State Law Requirements

Some states have their own breach notification rules that do not include the same delay provisions.

How to Avoid It: Compare state law with the federal rule and follow whichever is stricter.

Pitfall 6: Neglecting Communication With Patients Post-Delay

Even after a valid delay, you must issue clear, timely notifications.

How to Avoid It: Prepare notification drafts during the delay so they can be sent immediately when allowed.

Pitfall 7: Overlooking Media Notification Obligations

If the breach affects 500 or more residents in a state or jurisdiction, media notification may still be required after the delay.

How to Avoid It: Include media notification in your post-delay compliance checklist.

Pitfall 8: Failing to Coordinate Internally

If multiple departments handle breach response, communication breakdowns can lead to missed deadlines.

How to Avoid It: Assign a breach response coordinator responsible for tracking law enforcement delays.

1. HHS OCR – Breach Notification Rule Overview

2. 45 CFR § 164.412 – Law Enforcement Delay

3. FBI Cybercrime Guidance for Healthcare Entities

The law enforcement delay provision under HITECH allows covered entities and business associates to support criminal investigations and national security without sacrificing compliance if the rules are followed exactly.

Next Steps for Your Practice:

• Develop a breach response policy that includes procedures for handling law enforcement delay requests

• Train staff on documentation requirements for both oral and written requests

• Maintain a breach response calendar to track all deadlines and request expirations

• Review state laws to ensure your response meets the strictest applicable standard

By understanding and correctly applying § 164.412, your practice can cooperate with law enforcement while fully meeting your regulatory obligations. An effective way to reinforce compliance is through a HITECH regulatory platform. Such systems track evolving requirements, generate ongoing risk insights, and ensure your practice remains audit-ready, minimizing liabilities while strengthening patient trust.