The first HIPAA enforcement action of 2017 (announced January 9) is also the first of its kind – an enforcement action by the U.S. Department of Health and Human Services Office for Civil Rights for an untimely reporting of a breach of unsecured protected health information to affected individuals, HHS, and the media. The covered entity will pay $475,000 and implement a corrective action plan to settle the potential Breach Notification Rule violations.
The settlement stems from an October 2013 breach in which paper-based operating room schedules containing PHI (names, dates of birth, medical record numbers, dates and types of procedure, surgeon names, and types of anesthesia) of 836 individuals were missing from the covered entity’s surgery center. HHS was notified 101 days after the breach was discovered, affected individuals were notified 104 days after discovery, and media outlets were notified 106 calendar days after discovery. During OCR’s investigation, it reviewed the covered entity’s breach logs for the past few years and discovered additional untimely individual breach notifications.
For breaches affecting more than 500 individuals, the Breach Notification Rule requires notification to affected individuals, media, and HHS “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” See 45 CFR 164.404(b), 164.406(b), and 164.408(b). Breaches are treated as discovered as of the first day on which the breach is known or in the exercise of reasonable diligence would have been known to the entity (meaning any person, other than the person committing the breach, who is a workforce member or agent of the entity). See 45 C.F.R. § 164.404(a)(2). In the Resolution Agreement, OCR emphasized that each day on which the covered entity failed to notify each affected individual indicated a separate violation of the Breach Notification Rule.
Among other things, the corrective action plan requires the covered entity to update its breach notification and sanctions policies and procedures, including annual reviews thereafter, and approval of policies and procedures by HHS. To put the settlement in context, the covered entity is one of the country’s largest health care networks with approximately 150 locations, including hospitals, long-term care and senior living facilities, physician offices, and health care centers. Despite the number of affected individuals and the size of the covered entity (and presumably its HIPAA sophistication), OCR accepted a relatively modest settlement amount ($475,000) that balanced its need to emphasize the importance of timely breach reporting with its desire not to disincentivize breach reporting altogether.
This enforcement action underscores the need for covered entities and business associates to have clear policies and procedures in place to respond to Breach Notification Rule requirements in an effective and timely manner. All breaches discovered in 2016 affecting fewer than 500 individuals must be reported to HHS by March 1, 2017. Please contact your von Briesen health law attorney with any questions or for assistance regarding breach assessment or reporting.