OCR Announces First Fine for Failing to Provide Timely Notice:
As you know, HIPAA requires Covered Entities to notify affected individuals if there is a breach of their unsecured PHI. Specifically, 45 CFR 165.404(b) requires each affected individual to be notified of the breach "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach."
Presence Health, an integrated healthcare provider in Illinois, discovered that paper surgery scheduling records had gone missing; the surgery schedules contained PHI of 836 individual patients. The records were noted to be missing on October 22, 2013. However, notice was not provided to OCR until January 31, 2014 (101 days after the breach was discovered), and individual patients weren't notified until February 3 (104 days after discovery), and the media was not notified until February 5 (106 days after discovery). Obviously, this caused Presence to miss the "in no case later than 60 days" notification requirement. Presence blamed the tardiness on miscommunication between workforce members.
OCR noted that each of these tardy reminders is a separate HIPAA violation, and each day beyond the regulatory deadline is a separate violation
. That's at least 131 violations, perhaps more if you count each individual who didn't get a notification as a separate violation. That's a potential maximum penalty of almost $200 million. Fortunately, OCR only fined Presence $475,000.
This should be a reminder to covered entities that they are not just obligated to provide notice, they are obligated to provide timely
notice. But what does that mean, really?
Let's unpack a few things from the requirement. First, you have the question of whether a particular incident is a breach; next, when is it discovered; and finally, who should be reporting it (and how does that impact the question of when it is discovered). Be aware that the incident is "discovered" for the entity when it's known to a workforce member of the entity or the entity's "agent."
A reportable breach is an unauthorized access, acquisition, use or disclosure of unsecured PHI; however, the definition of breach gives 3 specific exceptions and one general exception (the "low risk of compromise" exception). That's a whole other blog post, but suffice it to say, you often won't know right off the bat whether you have a "breach" or something that might, upon further investigation, prove to be either a breach or a non-breach. So, given that, when does the clock start?
I'd say it depends on the incident. If it's clear that the incident will meet the definition of a breach when the investigation is over, then it's a breach. If an employee's car is burgled and a laptop containing unencrypted PHI was stolen, you should consider that the covered entity "discovered" the "breach" when the employee discovered the burglary. On the other hand, suppose you discover a security incident where the IT department discovers some malware that is capable of exporting data, including PHI. However, you don't have any reason to believe that data has been exported yet. It takes the IT department (and maybe a forensic vendor) a week to determine that yes, in fact, PHI was exported. I would argue that the "breach" is "discovered" when the exfiltration is found. However, keep in mind that the presumption goes to the breach, so (i) your confidence must be very high that the incident will not turn out to be a breach and (ii) your investigation must be swift and thorough.
And, it's useful to point out here that if the IT department discovers the exfiltration, that's the discovery point (because the IT department is full of "workforce members" of the entity; if it's a vendor that discovers it, but the vendor doesn't notify the entity for a few days, the discovery point will be when the vendor discovers if the vendor is considered the "agent" of the entity under federal common law, but will be the date the vendor notifies the entity if the vendor is not its"agent."
That should raise a question in your mind regarding business associates. As noted above, the reporting obligation falls on covered entities (CEs), and specifically does not fall on business associates (BAs). However, what if the breach is caused by the BA, or more importantly, what if the BA is the one to discover the breach? If the BA causes the breach, your BAA should handle how the BA notifies the CE. (NOTE: if your BAA allows the BA 60 days to notify you, how will you be able to meet the 60-day requirement?
) If the BA discovers the breach, your BAA should also require the BA to notify the CE. If the BA is an "agent" of the CE, then the CE is imputed to have discovered the breach at the exact time the BA discovered it; if the BA is not considered an agent, then the CE will have "discovered" the breach when the BA informed it, and that's when the clock starts ticking.
This can cause obvious problems. If the BA takes 3 months to discover the breach and another 3 months investigating it, AND the BA is your agent, then you better be prepared to throw yourself on the mercy of OCR (whatever that is). And if the BA notifies you that it has determined there was a breach but doesn't know yet whether your patients are involved, you have some issues to consider; if you think all your patients are likely involved, you should consider a preemptive notice to them. If the BA gives you the names of 100 affected individuals this week and 100 more next week, consider sending notice in waves. If your BA blows it, it could definitely be you that gets stuck with a monster fine.
This is why your BAAs should be specific on your BA's breach reporting requirements and should pass along the consequences for failure to investigate or notify to the bad-acting BA (i.e., indemnification). And why you need to be comfortable that your BA isn't an idiot.
Blogger: HIPAA Blog - Edit your Template