On January 9, 2017, the U.S. Department of Health and Human Services (“HHS”) announced its first enforcement action under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) involving delayed data breach reporting. HHS settled alleged violations of the HIPAA breach notification rule committed by Presence Health, one of the largest health care networks in Illinois. The settlement agreement called for Presence Health to pay $475,000 and to adopt a corrective action plan. This settlement underscores the importance of understanding your organization’s HIPAA policies and procedures, and raises several practical considerations going forward.
As background, under HIPAA, a “breach” is an unauthorized access, acquisition, use, or disclosure of protected health information (“PHI”) which compromises the privacy or security of the PHI. HIPAA imposes several notification requirements on covered entities (health plans, health care clearinghouses, and certain health care providers) upon discovery of a breach. First, covered entities must notify impacted individuals “without unreasonable delay,” but in no event later than 60 days following the discovery of the breach. HHS has made clear that the 60-day deadline is an outer-limit, and that some breaches may warrant expedited notice. Second, covered entities must notify HHS. The timing depends on the number of individuals impacted by the breach—if 500 or more individuals are impacted, the covered entity must notify the Secretary of HHS contemporaneously with notifying impacted individuals; if less than 500 individuals are impacted, the deadline is 60 days after the end of the calendar year in which the breach was discovered. Finally, if the breach impacts more than 500 residents of a state or jurisdiction, the covered entity must notify a prominent media outlet serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. Note that for breach notification purposes, a breach is treated as “discovered” as of the first day on which the incident giving rise to the breach is known, or by exercising reasonable diligence, would have been known, to the covered entity.
HIPAA also imposes breach notifications on “business associates” of covered entities. Business associates are entities or individuals that perform HIPAA-regulated functions for covered entities that necessitate access to PHI. For example, a claims administrator would be a business associate of a self-insured group health plan, and a third-party billing coordinator would be a business associate of a health care provider. If a business associate experiences a breach, the business associate must notify the covered entity without unreasonable delay, and in no case later than 60 days after the business associate discovers the breach. Upon notice from the business associate, the covered entity must, in turn, satisfy the notification requirements described above, although covered entities are free to contractually delegate those responsibilities to business associates. The covered entity, however, remains legally responsible for notice. Note that HHS has clarified that when a business associate acts as the agent of a covered entity, the business associate’s discovery of the breach starts the clock on the covered entity’s maximum 60-day notification window. Covered entities should therefore be careful to not inadvertently create an agency relationship with its business associates whenever possible.
The settlement agreement between HHS and Presence Health states that the network waited over 100 days (over 40 days beyond the 60-day outer-limit) to notify impacted individuals, HHS, and the media of a breach in which operating records containing the PHI of 836 individuals went missing. The agreement notes that Presence Health blamed its delay on “miscommunications between its workforce members.”
The potential penalties for delayed reporting can be significant. Covered entities can face over $1.5 million in penalties for all willful violations of a breach notification requirement in a calendar year. Thus, if a covered entity willfully violates all three notification requirements—to individuals, to HHS, and to the media—the covered entity could face over $4.5 million in penalties. The recent settlement between HHS and Presence Health demonstrates that covered entities must be diligent in responding to and reporting potential breaches. Any reporting delay—especially one of 40 days, as in the case of Presence Health, can be costly.
The Presence Health settlement raises important questions that every covered entity should be able to answer:
- Does the covered entity have an incident response team in place, with clear lines of authority and communication to avoid delays in reporting?
- Does the entity have HIPAA policies and procedures in place, as required under HIPAA?
- Do those policies and procedures establish a coherent breach response plan?
- Do the covered entity’s business associate agreements outline a breach response protocol? Is the business associate acting as an agent of the covered entity (thus triggering expedited breach notification timelines)?
HIPAA-covered entities should review their breach response plans and business associate agreements, and identify any deficiencies that could lead to delayed reporting. In the wake of the Presence Health settlement, it is clear that HHS takes delayed reporting seriously. So should covered entities.