Think you can take your time when breached? Think Again!
In January of this year, the HHS Office of Civil Rights levied a $475,000 fine against Presence Health for taking too long to notify their patients - as well as the OCR - after discovering the breach of PHI (protected health information). The incident occurred in October 2013 when Presence Health, based in Illinois, discovered that hundreds of physical documents containing patient names, birth dates, medical record numbers, and surgery details for 836 patients were missing. They did not report the breach to the OCR until Jan, 31, 2014 — 100 days after the incident occurred.
This was the first HIPAA fine "solely based on an unnecessary delay to breach notification" (HIPAAJournal).
Now, CoPilot Provider Support Services, Inc., a business associate based in New York, is under investigation for delayed reporting of a breach of ePHI (electronic protected health information). An unauthorized person accessed and downloaded 221,178 individuals' sensitive information in October 2015, but CoPilot didn't involve the FBI until February 2016 and didn't issue breach notifications to patients or the media until January 2017. Oops! The OCR is still investigating whether CoPilot is a HIPAA-covered entity, but the NY State Attorney General levied a $130,000 fine in June for violation of state law, according to an announcement from the Attorney General's Office.
Healthcare entities cannot afford to delay breach notification. Here's a summary of the basic notification requirements outlined in the Breach Notification Rule:
- A covered entity must notify the Secretary of Health and Human Services (via their portal) if it discovers a breach of unsecured protected health information.
- If the breach affects 500 or more individuals, the covered entity must notify HHS/OCR "without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach." (HHS.gov)
- If a breach affects fewer than 500 individuals, the covered entity must notify HHS/OCR "within 60 days of the end of the calendar year in which the breach was discovered." It is NOT necessary to wait until the end of the calendar year.
- Regardless of the size of the breach, a covered entity must notify patients "in written form by first-class mail...or by e-mail" (if an individual has agreed to email communication) "without unreasonable delay and in no case later than 60 days following the discovery of a breach."
- If a breach affects more than 500 individuals, the covered entity must also notify the media.
More detailed instructions for dealing with incomplete or out of date contact information can be found on the HHS website.
These incidents and resulting fines should serve as a wake-up call to the industry - take action sooner rather than later!
Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.