Many New Year’s Resolutions focus on actions intended to save money and reduce stress. Organizations, especially those in the health care industry, should consider a resolution to review their breach notification procedures to assure timely notification of future data breach events. Because when it comes to breach notification, time is money. Failing to timely report a data breach can result in substantial payments and other HIPAA enforcement actions against healthcare providers.
In an early 2017 reminder that time is of the essence, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) recently announced the first Health Insurance Portability and Accountability Act (“HIPAA”) settlement based on the untimely reporting of a breach of unsecured protected health information. The terms of the settlement required Presence Health, a health care network who, according to HHS, did not timely report a breach, pay $475,000 and implement a corrective action plan.
Presence Health discovered its breach on October 22, 2013 when “paper-based operating room schedules” were determined to be missing. Unfortunately, the schedules included the unsecured protected health information of 836 individuals. The information included “individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.” As such, the missing records constituted a reportable data breach under HIPAA.
HHS concluded that Presence Health took too long to provide its required notice. It notified HHS OCR about the breach on January 31, 2014, more than three months after discovering the breach, and did not notify affected individuals and the media outlets until early February 2014. While investigating the October 2013 breach, OCR also learned that Presence Health had also failed to promptly notify affected individuals in other breaches.
By way of background, HHS generally defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” It further notes that such ”an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment….” (emphasis added). That risk assessment would include, per HHS, at least the following four factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated. Unless that risk assessment shows a low probability that the protected health information was compromised based on a number of factors, the covered entity or business associate must provide the appropriate notice of the breach.
While the breach notice requirements vary, generally, the party must provide the affected individuals and the Secretary with notice, and, depending on the number of affected individuals, the media as well. Regardless, the notifications to individuals – and the media and OCR depending upon the number of affected individuals– must be made “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
While Presence Health’s settlement with the OCR does not include an admission of a violation of HIPAA rules, it does require Presence Health to make the previously mentioned $475,000 payment, along with entering into a “Corrective Action Plan.” The Corrective Action Plan was published as Appendix A to the Presence Health settlement. The Corrective Action Plan includes: revising, with HHS approval, its existing policies; training its employees with the update; and enhanced reporting requirements to HHS.
Presence Health’s settlement is a reminder of the value of promptly reporting data breaches when they occur, because time really is money.