HIPAA Breach.  Late Report Yields $475,000 Fine.

In early January, 2017, the US Department of Health and Human Services, Office of Civil Rights (OCR), announced that Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.

The key allegation was that Presence Health was approximately 40 days late in reporting the breach to the affected individuals and to OCR.  The penalty and correction was for failure to timely report the breach to the affected individuals, the media and OCR.

Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.

Why we should care

The investigation of unauthorized disclosures or other breaches of PHI tend to be fire drills for covered entities and business associates.

While all covered entities and business associates should have procedures in place for response to potential breaches of PHI, and most have some sort of documentation, few actually test these procedures.

A potential breach of PHI can be a shattering event for a covered entity or business associate, to say nothing of the individuals.  For many, it means that the privacy and security structure failed.  For a business associate, it often means that a relationship with a customer may have been compromised.

However, a well-structured breach response plan and regular, at least annual, “fire drilling” the entity’s breach response capacity, will prepare the organization for problems and demonstrate good faith effort to comply with the law.

The Breach Notification Rules

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification (ex., well encrypted PHI is unlikely to be reidentified and is therefore, not subject to breach);
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.

Covered entities and business associates do not get the benefit of the doubt.  It may be easier to provide the required breach notifications following an impermissible use or disclosure if you cannot be certain  that the protected health information has not been compromised.

Each covered entity and business associate should be prepared, on discovery of an unauthorized or impermissible use or disclosure to do the following:

  1. Determine whether a breach occurred (Apply the four part analysis and the exceptions)
  2. Determine whose PHI was subject of the breach;
  3. Determine how to mitigate the cause of the breach;
  4. Determine what entity has the legal and contractual responsibility to report the breach. Often if vendors are involved, the responsibility for reporting is the subject of negotiation;
  5. Draft the notification describing what occurred; what information may have been impermissibly used or disclosed; how the threat has been or will be mitigated; and whom to contact.
  6. Deliver the notification to the individuals (also, the media and OCR, if necessary) well within the 60 day reporting period.

Do not assume that these steps automatically occur.  Investigations require time and the attention of people for whom the process is not part of their ordinary duties.  Doctors, nurses, office staff and executives would prefer to focus on other matters.  Breach response must have the absolute support of the entity’s leadership in order to be effective.

Moreover, often the notification may involve other relationships, such as those between an EHR or app vendor and a covered entity.  Business imperatives, such as contract renewals, may become factors in the notice timing.  A privacy officer needs to be empowered to overrule business imperatives to assure compliance.

Finally, HIPAA compliance has become something of a commodity.  Customizable policies and procedures are available on line and from consultants at a relatively low cost.  While COTS policies and procedures may meet the letter of the law, they are not helpful from a legal perspective unless they can be implemented at a time of great stress.

What you can do now

  1. Review PHI breach response policies and procedures with the lawyer you are going to call when you discover an inappropriate use or disclosure of PHI. Do not allow a large consulting firm or law firm to delegate this task to a less experienced person.  That is not who you will want to rely upon when a breach actually occurs.
  1. Practice.  Practice.  Fire Drills are an unproductive waste of time, until there is a fire.  Practicing the breach response is unproductive time for everyone except that it will expose problems with help tailor the policies and procedures for an effective response to the real thing.
  1. Make compliance and practice an organizational imperative. For health care organizations, the hosting, privacy and security of PHI is a key component of the relationship of trust with the patients.  It requires support from the top of the organization.  Fortunately, most health care entities recognize the centrality of PHI and the importance of HIPAA compliance.

If you would like to discuss, please contact me: [email protected] or call me at 215-292-1246.