In the ever-growing world of electronic health records, cloud-based storage, and IT hacks, it is of the utmost importance to know how to handle a breach of protected health information (PHI).
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with requirements to protect the privacy and security of health information. Health plans, such as health insurance companies or government programs such as Medicare and Medicaid qualify as covered entities. Health care providers, such as doctors, clinics, dentists, chiropractors, and pharmacists also qualify as covered entities if they electronically submit claims or other information to carry out financial or administrative activities related to health care.
For any breach affecting more than 500 individuals, a covered entity, such as a doctor’s office, must investigate and report the breach without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If it fails to do so, it may be subject to HIPAA fines. The Office for Civil Rights just settled its first case of the year against Presence Health, one of the largest integrated health systems in Illinois, for ‘unreasonable delay’ in reporting a HIPAA breach. The report was 45 days late. The fine was $475,000.
The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline.
We can learn a valuable lesson from Presence Health’s blunder: covered entities must take the reporting deadlines seriously. For notification to affected individuals, the breach must be reported without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If the breach involves 500 or more individuals, the covered entity must notify HHS at the time it notifies affected individuals. If the breach involves fewer than 500 individuals, the covered entity may wait to notify HHS until no later than 60 days after the end of the calendar year. If the breach involves more than 500 residents in one state, the covered entity must notify local media at the time it notifies affected individuals. One important clarification for covered entities: the 60-day time period begins to run from the time that any member of the covered entity’s workforce (other than the person committing the breach) knew or by exercising reasonable diligence should have known that the breach occurred.
In addition, while we’re on the topic, please allow us to remind you about a few best practices to avoid HIPPA blunders:
- Update Your Policies. Covered entities should adopt, implement, revise, and update your policies and procedures providing for the timely and adequate notification of a breach to HHS, individuals and the media. To avoid internal miscommunication, covered entities should ensure that such policies and procedures explicitly define employee roles and responsibilities with respect who 1) completes risk assessments of potential breaches, 2) receives and acts upon reports related to potential breaches, 3) prepares and sends notifications to individuals, HHS and the media without unreasonable delays and within the Rule’s prescribed timeframes, and 4) updates policies and procedures on an at-least annual basis.
- Train Your Employees. Make it a priority to provide annual and ongoing training based on your updated policies and procedures. It is best to provide training to all current and new workforce members on an at-least annual basis. Such trainings should be comprehensive and include information about what constitutes a breach, the importance of quickly reporting and acting upon reports of potential breaches, and identify the key people to whom such reports should be made.
- Incentivize Employee Compliance. Impose sanctions on workforce members (e.g., retrain, compensation/bonus impact and/or termination) that fail to adhere to HIPAA-related policies and procedures to ensure that employees are properly incentivized to comply. Accordingly, be sure that you do not merely have policies and procedures in place, but that you impose sanctions on staff members who fail to comply.
- Prepare and Practice Your Game Plan. Once you learn of a breach, the clock starts ticking so it’s best to be ready to spring into action as quickly as possible. The notification process requires multiple tasks, such as investigating the breach, analyzing any changes to the regulatory requirements, tracking down affected individuals’ names and addresses, communicating and coordinating with the relevant decision-makers, setting up call centers to answer data subjects’ questions, and preparing and mailing notifications. Therefore, best practices are to have an incident response plan ready; a battle plan if you will. Put in place, and practice as much as possible, your coordination and communication strategies related to the discovery and reporting of breaches. Such exercises are an important way for you to ensure that you have defined timetables, coordinated team members, and an overall awareness of compliance requirements.
For questions, please contact:
Megan Hopfer | Attorney
2105 Coronado St | Idaho Falls, ID 83404
(208) 523-5171 | mhopfer@beardstclair.com
This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Beard St. Clair Gaffney PA or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Beard St. Clair Gaffney PA. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.