Are You Timely Reporting HIPAA Breaches? OCR Settlement Emphasizes Need for Swift Breach Response Are You Timely Reporting HIPAA Breaches? OCR Settlement Emphasizes Need for Swift Breach Response

Are You Timely Reporting HIPAA Breaches? OCR Settlement Emphasizes Need for Swift Breach Response

In January 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Presence Health Network (Presence) to resolve potential violations of the HIPAA Breach Notification Rule. Presence is one of the largest health care systems in Illinois, and consists of over 150 locations, including 11 hospitals, 27 long-term care and senior living facilities, and a multitude of physician’s offices and clinics. Under the terms of the settlement, Presence agreed to pay a $475,000 resolution amount and adhere to a corrective action plan. Notably, this is OCR’s first enforcement action focusing exclusively on noncompliance with the Breach Notification Rule’s timeliness requirements for reporting breaches.

OCR launched its investigation into Presence’s breach notification practices after receiving a breach report from Presence in January 2014. The breach report indicated that in October 2013, a Presence hospital discovered that paper-based operating room schedules containing the protected health information (PHI) of 836 individuals were missing. According to OCR’s resolution agreement, Presence admitted that “miscommunications between its workforce members” resulted in a delay in sending notifications about the incident. The investigation ultimately revealed that Presence provided breach notifications to the affected individuals, OCR, and the media considerably past the deadlines prescribed by the Breach Notification Rule. While investigating the October 2013 breach, OCR also learned that on several occasions in 2015 and 2016, Presence failed to timely notify individuals affected by small breaches.

The Presence enforcement action serves as a vital reminder that HIPAA-regulated entities should develop and implement comprehensive breach response plans. Importantly, the corrective action plan requires Presence to revise its existing Breach Notification Rule policies and procedures to “more explicitly delineate its workforce members’ roles and responsibilities” related to assessing potential breaches of PHI, preparing breach notifications, and ensuring that all required breach notifications are submitted within the applicable time frames.

This action also highlights the policy rationale underlying the Breach Notification Rule’s timeliness requirements—namely, individuals need to be expeditiously apprised of breaches involving their PHI so that they may take steps to protect themselves from harm.[1]  As former OCR Director Jocelyn Samuels emphasized in OCR’s announcement of the settlement, Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.

Below are several practical tips and lessons we can glean from OCR’s settlement with Presence:

1.      Be Mindful of HIPAA Breach Reporting Obligations and Deadlines. The Breach Notification Rule’s reporting requirements for breaches of unsecured PHI vary according to the size of the breach and the type of the regulated entity.[2] A covered entity must report breaches of unsecured PHI[3] affecting 500 or more individuals (i.e., “large breaches”) to the affected individuals, OCR, and prominent media outlets serving each state or jurisdiction in which more than 500 of the affected individuals reside “without unreasonable delay,” and no later than 60 calendar days after the covered entity discovers the breach. Moreover, a covered entity must report a large breach to OCR contemporaneously with the notification it provides to the affected individuals.

With respect to breaches of unsecured PHI affecting fewer than 500 individuals (i.e., “small breaches”), a covered entity must notify the affected individuals “without unreasonable delay,” and no later than 60 calendar days after it discovers the breach. A covered entity must notify OCR of a small breach no later than 60 days after the end of the calendar year in which the breach was discovered, and it does not need to notify media outlets of a small breach.

A business associate, meanwhile, is obligated to report a breach of unsecured PHI to a covered entity “without unreasonable delay,” and no later than 60 calendar days after the business associate discovers the breach. Typically, business associate agreements will contain stricter timelines for business associates to report suspected or confirmed breaches to covered entities.[4] The timelines to which the business associate agreed in the business associate agreement will control if they are shorter than the regulatory timelines.

In all circumstances, the deadlines do not apply if the entity has received a valid request from a law enforcement official to delay the provision of notifications.

The phrase “without unreasonable delay” is a critical element of the timing equation. Many covered entities and business associates automatically calendar a 60-day response deadline and mistakenly believe they are compliant—in all cases—if they report any time within that period. In fact, 60 calendar days from the date of discovery is simply an outside limit. The key compliance standard for breach notification is always “without unreasonable delay.” Reporting on the 60th day after discovery is only compliant if that is the very soonest the covered entity or business associate could report given its obligation to conduct a reasonable investigation into whether an unauthorized acquisition, access, use, or disclosure of PHI was, in fact, a “breach” of unsecured PHI.  As OCR states, “The 60 days is an outer limit and therefore, in some cases, it may be an ‘unreasonable delay’ to wait until the 60th day to provide notification.”[5]

Exercising “reasonable diligence” to investigate breaches means acting with the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.[6] OCR explains:

The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances. Factors to be considered include whether a covered entity or business associate took reasonable steps to learn of breaches and whether there were indications of breaches that a person seeking to satisfy the Rule would have investigated under similar circumstances. Covered entities and business associates may wish to look to how other covered entities and business associates operating under similar circumstances conduct themselves for a standard of practice.[7]
 
And when does the clock for breach notification start ticking? Again, many covered entities and business associates unwittingly find themselves out of compliance by assuming the obligation to report without unreasonable delay begins on the day they determine a breach occurred. The reporting period actually begins earlier, when the entity learns about an “incident”—an acquisition, access, use, or disclosure of PHI that is impermissible under the HIPAA Privacy Rule—that it subsequently investigates. OCR emphasizes:

Under [the Breach Notification Rule], the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. A covered entity is expected to make the individual notifications as soon as reasonably possible after the covered entity takes a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice to the individual.[8]
 
2.      Create and Test a Breach Response Plan. For HIPAA-regulated entities, maintaining—and regularly testing—a breach response plan is critical to ensuring compliance with the Breach Notification Rule’s reporting requirements. In fact, the Breach Notification Rule explicitly requires covered entities to develop policies and procedures to implement its provisions.[9] The Rule does not mandate that business associates create breach notification policies and procedures, but it is still advisable for a business associate to do so to optimize its ability to respond to breaches.[10]

An effective breach response plan should clearly articulate methods for responding to various types of privacy and security incidents. The plan should also identify the key members of the breach response team, describe their particular roles and responsibilities, and establish lines of communication both internally and with external resources, such as forensic vendors and outside counsel. After devising the plan, a covered entity or business associate should periodically conduct table-top exercises to test the efficacy of the plan and ensure that all team members understand their duties.

By implementing a thoughtful, well-documented breach response plan, covered entities and business associates may avert internal miscommunications that can result in missed breach reporting deadlines.

3.      Train Workforce Members on Identifying and Reporting Potential Breaches. The date on which a workforce member, who is generally regarded as an agent of the HIPAA-regulated entity, first observes a potential HIPAA Privacy Rule violation is often the entity’s “date of discovery” for breach notification purposes.[11] As a result, it is crucial for covered entities and business associates to train all workforce members on how to detect potential breaches and internally report such incidents to the appropriate personnel, such as the entity’s privacy or compliance officers.
 
It is equally important for covered entities and business associates to ensure that breach response team members are well-versed on their response plans and breach notification obligations. Even privacy and compliance officers should be thoroughly trained on the entity’s breach response plan so that they understand their roles with respect to investigating, analyzing, and reporting the incident. Indeed, the Breach Notification Rule requires a covered entity to train workforce members on its breach notification policies and procedures and document its administration of such training.[12]
 
4.      Refrain from Unreasonably Delaying Breach Reporting. As discussed above, OCR may find that a HIPAA-regulated entity has violated the Breach Notification Rule’s timeliness requirements if it gathers sufficient evidence to demonstrate that the entity unreasonably delayed its provision of breach notifications—even if the entity ultimately sent the notifications within the 60-day window. A covered entity, for example, that is prepared to send required notifications ten days after discovering a breach but nevertheless waits until the 60th day following the date of discovery can be found to have unreasonably delayed the fulfillment of its reporting obligations.[13]

Accordingly, breach response teams must work diligently to examine potential breaches without allowing their internal investigations to unnecessarily languish. Even though OCR recognizes that an entity may “require a reasonable amount of time to confirm whether the incident qualifies as a breach,” the entity cannot delay providing notifications based on the pendency of its investigation if the postponement would be “unreasonable” under the specific circumstances.[14]

Some entities may unreasonably delay sending breach reports or miss the 60-day deadline altogether because they hope that their ongoing investigations into the incident will unearth information that will materially alter their analysis as to whether the incident is a reportable breach. These entities should be aware that OCR permits the filing of an addendum to the initial breach report through its online breach portal. For instance, entities that eventually conclude that an incident did not involve PHI or did not affect 500 or more individuals can provide OCR with this supplementary information using the addendum tool.
 
5.      Recognize that this Enforcement Action Should Not Disincentivize Breach Reporting. In its press release announcing the Presence settlement, OCR stated, “With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.” OCR’s assertion acknowledges that there is a slight possibility that this enforcement action will have a chilling effect on covered entities and business associates filing overdue breach reports altogether. HIPAA-regulated entities, however, should appreciate that OCR has historically used other mechanisms to identify breaches that are deliberately unreported. OCR can still learn about such breaches through complaints filed by members of the public, news reports, and referrals from other federal agencies and state agencies. Consequently, an entity that realizes it has missed a breach notification deadline can avoid appearing to have acted in bad faith by immediately reporting the breach to the appropriate parties.

6.      Remember to Assess State Breach Reporting Obligations. Often, breaches of unsecured PHI will trigger state breach notification laws that require entities to report breaches of “personal information” to the affected state residents and, in some cases, the office of the state attorney general, other state government agencies, and consumer reporting agencies. Some of these laws require notifications to be made “without unreasonable delay” or “in the most expedient time possible,” while others may impose reporting timeframes that are more stringent than the Breach Notification Rule. Florida’s law, for instance, requires notifications to be made to the affected individuals within 30 days of identifying the breach.[15] Many state breach notification laws carve out an exception for HIPAA covered entities; however, these exceptions usually can be invoked only if the covered entity has demonstrated compliance with the Breach Notification Rule. Because the majority of these state laws permit state regulators to sue entities for failures to comply with breach reporting provisions, HIPAA-regulated entities should carefully analyze their notification obligations under relevant state laws when faced with a breach of unsecured PHI.[16]  

Conclusion

HIPAA-regulated entities should take heed of the significant message conveyed by the Presence enforcement action—timely notification of HIPAA breaches matters. Prompt breach notification is necessary to allow individuals affected by breaches to quickly take measures to protect themselves from potential harm. This enforcement action, coupled with OCR’s announcement of its small breach initiative, signals that OCR considers scrutinizing the breach reporting practices of both covered entities and business associates a high priority.

For more information on HIPAA compliance, contact Deepali DoddiKim Metzger or another member of our HIPAA Privacy and Security Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] See Breach Notification for Unsecured Protected Health Information: Interim Final Rule, 74 Fed. Reg. 42740, 42749 (August 24, 2009) (“Waiting longer than 60 days to notify individuals of breaches of their unsecured protected health information could substantially increase the risk of harm to individuals as a result of the breach and decrease the ability of the individuals to effectively protect themselves from harm.”)
[2] The Breach Notification Rule defines a “breach” as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.” See 45 C.F.R. § 164.402.  Certain inadvertent, good faith uses or disclosures of PHI are accepted from the definition of “breach.”  An impermissible use or disclosure of PHI is presumed a “breach” unless the covered entity or business associate can demonstrate that there was a low probability of compromise to the PHI based on a documented risk assessment of at least the following factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. 
[3] A regulated entity’s breach notification obligations are triggered only when a breach of “unsecured PHI” occurs.  “Unsecured PHI” is protected health information that has been rendered unusable, unreadable, or indecipherable to unauthorized parties.
[4] Additionally, when a breach occurs at a business associate, some covered entities choose to delegate breach notification responsibilities to the business associate.  But even when a covered entity delegates breach notification tasks to its business associate, the covered entity remains legally responsible for ensuring that breach notifications are timely and appropriately provided.
[5] See HIPAA Omnibus Final Rule, 78 Fed. Reg. 5566, 5648 (January 25, 2013).
[6] See 45 C.F.R. § 140.401 (definition of “reasonable diligence”).
[7] See HIPAA Omnibus Final Rule, 78 Fed. Reg. 5566, 5647 (January 25, 2013).
[8] Id. at 5648.
[9] See 45 C.F.R. § 164.414(a) (incorporating by reference the Privacy Rule’s requirement, at 45 C.F.R. §§ 164.530(i) and 164.530(j), that a covered entity document policies and procedures to comply with its provisions). 
[10] It is important to remember that under the HIPAA Security Rule, both covered entities and business associates alike must adopt procedures for responding to “security incidents” involving electronic PHI, and such incidents often amount to reportable breaches of unsecured PHI.
[11] See Breach Notification for Unsecured Protected Health Information: Interim Final Rule, 74 Fed. Reg. 42740, 42749 (August 24, 2009) (“[T]he time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in this rule.”).  Note that the date of discovery of a breach may also be the date on which the regulated entity should have discovered the incident if it had exercised reasonable diligence.  See 45 C.F.R. § 164.404(a)(2).
[12] The Breach Notification Rule also requires a covered entity to sanction workforce members who fail to comply with its breach notification policies and procedures. See 45 C.F.R. § 164.414(a) (incorporating by reference the Privacy Rule’s requirements, at 45 C.F.R. §§ 164.530(b) and 164.530(e) regarding workforce training and sanctions). The Rule does not contain the same requirements for business associates, but business associates are still advised to implement them.
[13] See Breach Notification for Unsecured Protected Health Information: Interim Final Rule, 74 Fed. Reg. 42740, 42749 (August 24, 2009).
[14] See id. at 42748. 
[15] Fla. Stat. § 501.171(4)(a).
[16] See, e.g., “[Indiana] Attorney General reaches settlement with WellPoint in consumer data breach,” July 5, 2011, available at http://www.in.gov/portal/news_events/71252.htm (announcing a settlement to resolve allegations that WellPoint, a health insurer, did not appropriately notify the Indiana Attorney General of the breach) and “Attorney General of California: Kaiser Stipulation and Final Judgement,” February 14, 2014, available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/kaiser_stipulation.pdf  (entering into a $150,000 settlement with Kaiser Foundation Health Plan for alleged failures to make timely notifications to California residents affected by a breach).

View Full Site View Mobile Optimized