Client Alerts

HIPAA Breach Notification Enforcement Action

About: Health Care

Could any of the following happen in your workplace?

In early 2017, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced its first settlement for failure to timely report the breach of unsecured protected health information (PHI). Presence Health Network, a large Chicago-based health care system, agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.

A data breach requires a quick response, careful investigation, and effective action to mitigate the effects of the breach. Failure to comply with the law can result in a government enforcement action, substantial fines, and adverse publicity. If you or your company is a HIPAA Covered Entity or a Business Associate, you must be familiar with the timeline for completing an investigation and your reporting obligations under the HIPAA rules:

Covered Entities under HIPAA (health care providers, health plans, and health care clearinghouses) are required to self-report a breach of unsecured PHI to the affected individual(s) without reasonable delay, but in no event more than 60 days after discovery. If the breach involves 500 or more persons, it must also be reported to HHS within 60 days after discovery (at the same time that the affected individual(s) are notified), and if the breach involves more than 500 persons in a state, it must be reported to the local media within 60 days after discovery. If the breach involves fewer than 500 persons, the Covered Entity must report the breach to HHS no later than 60 days after the end of the calendar year.

Business Associates are required to notify the Covered Entity of a breach of unsecured PHI within 60 days after discovery so that the Covered Entity may provide the required notices to others. Under some circumstances, Business Associates may also have reporting obligations.

Similar breach notification provisions are enforced by the Federal Trade Commission (FTC) against vendors of personal health records and their third party service providers, and Ohio adopted a security breach notification law in 2006 that requires notification of individuals whose electronic personal information has been the subject of a security breach.

Presence St. Joseph Medical Center discovered on October 22, 2013, that its paper-based operating schedules were missing from its surgery center. The schedules contained PHI of 836 persons, including names, birthdates, procedure information, and medical record information. Presence Health did not report the breach to HHS until 101 days after the breach was discovered; did not notify the affected individuals until three days after that; and did not notify the media for two more days. The government also noted that Presence Health had failed to make timely reports of data breaches on two other occasions.

Not all data breaches are required to be reported, and in many cases you may be able to determine that the incident does not meet the definition of an unsecured breach of PHI under the Rule, or that it fits within the breach exception. However, it is critical to make this determination within the 60 day window for reporting, and to document your investigation and the basis for concluding that the incident did not need to be reported.

Of course, the best insurance is to avoid a data breach in the first place. Be familiar with your obligations under the HIPAA privacy and security rules and state law; adopt required policies, procedures, and safeguards; conduct regular training; and periodically monitor compliance. But, despite your best efforts, a data breach may occur. We recommend that you take the time now to develop and have in place a detailed breach notification policy to guide you through the right steps to take to immediately respond to the crisis and comply with any reporting obligations.