Why delays in reporting a breach will cost organizations dearly
The first HIPAA enforcement action of 2017 is also the first of its kind—a stiff penalty by the U.S. Department of Health and Human Services' Office for Civil Rights leveled against a provider that tarried in reporting a breach of unsecured protected health information to affected individuals, HHS and the media.
In the settlement, Presence Health has agreed to pay $475,000 and implement a corrective action plan for failing to comply with the HIPAA breach notification rule.
The settlement stems from an October 2013 breach in which paper-based operating room schedules containing PHI (names, dates of birth, medical record numbers, dates and types of procedure, surgeon names, and types of anesthesia) of 836 individuals were missing from one of the system's surgery centers.
HHS was notified 101 days after the breach was discovered, affected individuals were notified 104 days after discovery, and media outlets were notified 106 calendar days after discovery. During OCR’s investigation, it reviewed the covered entity’s breach logs for the past few years and discovered additional untimely individual breach notifications.
For breaches affecting more than 500 individuals, the Breach Notification Rule requires notification to affected individuals, media and HHS “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
Breaches are treated as discovered as of the first day on which the breach is known or in the exercise of reasonable diligence would have been known to the entity, meaning any person, other than the person committing the breach, who is a workforce member or agent of the entity. In the resolution agreement, OCR emphasized that each day on which the covered entity failed to notify each affected individual indicated a separate violation of the Breach Notification Rule.
Among other things, the corrective action plan requires the covered entity to update its breach notification and sanctions policies and procedures, including annual reviews thereafter, and approval of policies and procedures by HHS.
To put the settlement in context, the covered entity is one of the country’s largest health care networks with approximately 150 locations, including hospitals, long-term care and senior living facilities, physician offices, and health care centers. Despite the number of affected individuals and the size of the covered entity, and presumably its HIPAA sophistication, OCR accepted a relatively modest settlement amount that balanced its need to emphasize the importance of timely breach reporting with its desire not to disincentivize breach reporting altogether.
This enforcement action underscores the need for covered entities and business associates to have clear policies and procedures in place to respond to Breach Notification Rule requirements in an effective and timely manner. All breaches discovered in 2016 affecting fewer than 500 individuals must be reported to HHS by March 1, 2017.