PH Privacy

40-Day Delay in HIPAA Breach Notification Costs Illinois Health System $475,000

February 03, 2017

James H. Koenig and Joanne Joseph

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), has recently announced its first Health Insurance Portability and Accountability Act (“HIPAA”) enforcement action for failure to timely comply with the HIPAA Breach Notification Rule (“Rule”), which came into effect in 2009.  On January 9, 2017, OCR revealed that Presence Health, one of the largest integrated health systems in Illinois, agreed to settle potential violations of the Rule by paying $475,000 and implementing a two-year corrective action plan (“CAP”).  The Resolution Agreement between HIPAA and Presence Health and the associated CAP provide helpful insight for covered entities (“CEs”) regarding what proactive steps should be taken to avoid HIPAA non-compliance and the associated financial and reputational cost that can result.
Factual Background

• Delayed Notice of Breach.  On January 31, 2014, Presence Health sent a breach notification report to OCR indicating that on October 22, 2013 (101 calendar days earlier), Presence Health had discovered that paper-based operating room schedules were missing from one of its medical centers.  The report noted that Presence Health had violated the Rule requiring CEs (such as Presence Health) to provide data breach notifications without unreasonable delay and within 60 days to the following sets of recipients: (1) affected individuals; (2) HHS; (3) and prominent media outlets (as required if the breach affects 500 or more individuals). 

  • 40+ Day Delay.  In this case, Presence Health’s notifications to each set of recipients exceeded 100 calendar days from its discovery of the breach (implicating a separate violation of the Rule for each day Presence Health failed to notify the affected individuals, HHS and the media), which surpassed the required notification timeframe by at least 40 calendar days in each case.   

  • Mea Culpa.  According to Presence Health, the delay in providing data breach notifications was due to “miscommunications between its workforce members,” and the Resolution Agreement did not provide further details.  Notably, while internal communication, mis-coordination and delays are common, the OCR has provided that the only permissible exception to the 60-day notification timeframe is for the benefit of law enforcement investigations.

• PHI at Issue. The schedules at issue contained unsecured protected health information (“PHI”) of 836 individuals, and included identifiers such as patients’ names, dates of birth, medical record numbers and types of medical procedures.
  Key Takeaways for CEs

1. Update Policies.  Review and revise HIPAA-related policies and procedures with a particular focus toward clearly defining employees’ roles and responsibilities.

   Based on the CAP, Presence Health must update its policies to comply with the requirements of the Rule.  Accordingly, CEs should also adopt and implement policies and procedures providing for the timely and adequate notification of a breach to HHS, individuals and the media (if applicable).  To avoid internal miscommunications like the one in Presence Health, CEs should ensure that such policies and procedures explicitly delineate its employees’ roles and responsibilities with respect to the following priority areas identified in the CAP:

• receiving and acting upon internal and external reports related to potential breaches of unsecured PHI;

• completing risk assessments of potential breaches to determine the likelihood that PHI has been compromised;

• preparing and sending notifications to individuals, HHS and the media (if applicable) without unreasonable delays and within the Rule’s prescribed timeframes; and

• updating policies and procedures related to the Rule on an at least annual basis.

1. Training.  Provide up-to-date HIPAA training to employees.

   The CAP requires Presence Health to provide annual and ongoing training based on its updated incident response policies and procedures.  Accordingly, CEs should provide training to all current and new workforce members related to the Rule on an at-least annual basis, and more frequently if appropriate.  Such trainings should be comprehensive and include information about what constitutes a breach of PHI, the importance of quickly reporting and acting upon reports of potential breaches of PHI given the prescribed timelines, and the key people at the CE to whom such reports should be made.  This training, in most cases, is integrated with HIPAA, privacy, and/or security awareness training.

2. Sanctions.  Enforce HIPAA-related policies through sanctions to incentivize employee compliance.

   An important theme in OCR CAPs is to include a sanctions provision to ensure that companies take action in instances of non-compliance and the workforce takes HIPAA obligations seriously.  CEs should impose sanctions on workforce members (e.g., retrain, compensation/bonus impact and/or termination) that fail to adhere to HIPAA-related policies and procedures to ensure that employees are properly incentivized to comply.  Accordingly, consistent with the requirements of Presence Health’s CAP, CEs should be certain to not merely have policies and procedures in place, but to also impose sanctions on staff members who fail to comply.

3. Create a “battle plan” and conduct incident response mock simulations. Prepare a day-by-day incidence response strategy and arrange a corresponding simulation to ensure that employees are prepared well in advance of an actual breach.

Once a CE learns of a breach, the clock starts ticking on the 60-day notification requirement and the workforce should be poised to spring immediately into action.  The notification process requires significant lead time given the multiple tasks involved, such as investigating the breach, analyzing any changes to the regulatory requirements, tracking down affected individuals’ names and addresses, communicating and coordinating with the relevant decision-makers, setting up call centers to answer data subjects’ questions, and preparing and mailing notifications.
CEs should therefore prepare a day-by-day incident response “battle plan” that outlines required tasks and corresponding responsibilities tied together with specific timelines.  This plan should match-up to the CE’s HIPAA-related policies and procedures and regulatory requirements. 

Increasingly, health care organizations are conducting cyber war-gaming simulations to practice coordination and communication related to the detection, escalation, and reporting of breaches related to cyber and other attacks.  Such exercises are an important way for CEs to ensure that they have defined timetables, coordinated team members, and an overall awareness of compliance requirements.  Using incident response mock simulations and cyber wargames to practice coordination and communication in advance of an actual event is not just an industry best practice, but an increasingly common practice across healthcare.

OCR’s Message to CEs

OCR’s recent settlement with Presence Health sends a strong and clear warning to CEs that foot-dragging is not permitted and failing to report a data breach in timely manner may have serious repercussions.  CEs should also take note that the OCR will take enforcement action, regardless of the medium – paper or electronic records – involved.
If CEs fail to heed its message, this settlement may be only the first of many data breach notification-related enforcement actions brought by the OCR.

PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.