For the first time, a healthcare provider is settling a HIPAA violation based on failure to quickly report a breach. It can be difficult to determine when to start the clock for the deadline.
- The breach involved paper records of OR schedules.
- Notification is required within 60 days of discovering a breach.
- The provider waited more than 100 days after the breach to notify appropriate parties.
For the first time ever, the Department of Health and Human Services, Office for Civil Rights (OCR), is settling a HIPAA violation based on failure to report a breach in a timely fashion. The case illustrates how it can be difficult to determine the timeline for a breach, but it could be just the first case of this type.
The breach occurred at a facility owned by Presence Health, one of the largest healthcare networks serving Illinois with 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence agreed to pay $475,000 and implement a corrective action plan, OCR announced recently.
Unlike any other HIPAA breach case, OCR focused on Presence when company officials reported the problem. On Jan. 31, 2014, OCR received a breach notification report from Presence indicating that it had discovered on Oct. 22, 2013, that paper-based OR schedules containing the protected health information (PHI) of 836 individuals were missing from the Presence Surgery Center at the Presence Saint Joseph Medical Center in Joliet, IL. The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.
OCR’s investigation revealed that Presence Health, without unreasonable delay and within 60 days of discovering the breach, failed to notify OCR and each of the 836 individuals affected by the breach, as well as prominent media outlets. Media notification is required for breaches affecting 500 or more individuals.
Assuming good faith from Presence, the delay in notification may have been related to the time administrators confirmed the breach and investigation afterward, suggests Jeff Drummond, JD, an attorney with the Dallas office of the law firm Jackson Walker.
“A lot of these breaches are slow-moving train wrecks,” he says. “Something happens, it takes time for anybody to realize it happened, and it may take longer for everyone to confirm that yes, it really did happen, even if there’s no discernible damage from the breach. So sometimes you can have a breach and it takes a long while for anybody to do anything or make notifications, and that seems odd when you’re looking back at that first initial date.”
OCR took that into consideration in the past and was not strict about using that initial date as the starting point, Drummond explains. This settlement suggests OCR has changed its position, he says.
“People have not been in any hurry to get their notifications out and they’ve been getting away with taking long times to investigate,” he says. “I think this case is an indication that OCR decided people were taking a little too much for granted that they could get away with that. This case gave OCR an opportunity to make an example of somebody.”
Timely notification will join other issues that OCR can bring up if they want to put the screws to a provider for some reason, Drummond says, along with hard-to-define deficiencies like “insufficient” risk analysis or insufficient policies and procedures, he says.
“Not only were your safeguards insufficient and that’s why you had the breach, but you had these other problems as well, and timely notification will be one of those things they can throw in,” Drummond says. “It can be one more thing they use to justify imposing a penalty.”
Drummond also cautions that the 60 days in the breach notification requirement is not necessarily what OCR will consider acceptable in all cases. It is theoretically possible, though it hasn’t happened yet, to notify the appropriate parties within 60 days from the earliest date and still be penalized for a timely notification failure, he says.
“People throw the 60 days around as if that’s the time you have to report, and that’s not accurate,” Drummond says. “You’re required to report as soon as is practical. The 60 days is just a drop-dead date you have to report by.”
Even if you notify at 60 days or 55 days, OCR could still claim that you should have been ready and able to notify at 35 days, Drummond explains.
Drummond advises marking the 60-day date from the date you first learned of the incident, or the possibility of an incident, rather than using a date further down the line when you determined that a breach definitely occurred, or some other determination is made. Play conservatively with that time frame.
“You could make the argument that it’s not until you’re certain you have a reportable breach that the 60 days begins to tick, but I wouldn’t be comfortable with that,” he says. “The only way that might be reasonable is if between the time you discovered a problem and determined it was a reportable breach, you had reason to have a very high level of confidence that it would not be reportable.”
Poor Risk Assessment
The breach itself probably occurred because there was inadequate risk assessment, says Denise Bloch, JD, an attorney with Sandberg Phoenix & von Gontard in St. Louis.
“While breaches may happen no matter what the preventive measures and policies and procedures are in place, such as workforce members failing to follow policy or procedure, the likelihood of this particular breach might have been reduced if a risk assessment had been conducted and identified the risk the paper operating room records posed,” she says. “As a result of risks identified, the covered entity could have implemented stronger policies and procedures requiring that the records be kept in a locked location, with access limited solely to those individuals needing the information and required the individuals to replace the records to the locked location following use.”
Even better, the records could have been kept electronically, Bloch says.
Bloch notes that the notification requirements differ according to the amount of information compromised. For all breaches, notification to the affected individuals must occur without unreasonable delay and in no case later than 60 days following the discovery of the breach. In cases with 500 or more affected individuals of a state or jurisdiction, notification must be given to media outlets serving the state or jurisdiction and OCR without unreasonable delay, and no later than 60 days following the discovery of a breach.
In cases affecting fewer than 500 individuals, the notification is due to the OCR secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
Although there can be some confusion about timing, there is no doubt that notification was not timely in this case, Bloch says. The breach was not reported to OCR until Jan. 31, 2014, 101 days after the discovery of the breach. Affected individuals were not notified until Feb. 3, 2014, 104 days after discovery of the breach. Presence did not notify the media until Feb. 5, 2014, 106 days after discovering the breach.
“The key lesson to learn is to timely investigate possible breaches and timely report any breaches according to the breach notification rule, but another lesson is the importance of training workforce members to not only be aware of their obligations under HIPAA to avoid breaches, but if one occurs, to know who to report any incidents to, and what circumstances require such reporting,” Bloch says.
Providers need to specifically train their workforce on how to report breaches and ensure the breach response team understands their responsibilities, says Kelli Fleming, JD, partner with the law firm of Burr & Forman in Birmingham, AL. Tabletop exercises are a great tool to identify weak links in breach response process, she says.
Other Deficiencies Found
Each day that notification was not made to the individuals, OCR, or the media constituted three separate violations, notes Stacey Gulick, JD, partner with the law firm of Garfunkel Wild in Great Neck, NY, and co-chair of the firm’s HIPAA compliance practice group.
“When questioned about the failure to notify in a timely fashion, Presence claimed internal miscommunication,” Gulick says. “Also relevant was that when the OCR investigated the breach, it reviewed other Presence breach reports and found other instances of failure to meet the notification time frames. This is the first settlement for failure to notify in a timely fashion, and could very well be the first of many.”
The fact that paper records were involved is noteworthy, says Kristin Jones, JD, an attorney with the law firm of Stradley Ronon in Malvern, PA. Many providers are so focused on the risks associated with electronic medical records that they forget to protect traditional paper records as well, she says.
“OCR is unquestionably cracking down on HIPAA breaches as a whole, and we see announcements of record settlements regularly. Healthcare providers have had nearly four years to implement their policies, and OCR is no longer tolerating preventable mistakes,” Jones says. “Not only should providers expect more enforcement actions related to timely notification, but they should expect other procedural deficits to catch OCR’s eye during breach reporting and HIPAA audits.”
Fleming agrees that providers should expect greater scrutiny on timely notification.
“The message this enforcement sends is that OCR is taking these breach notification time frames seriously, and that strict compliance with the deadline is mandatory,” she says. “While Presence had a history of not reporting breaches in a timely manner, which probably contributed to the level of enforcement taken by OCR, I would not be surprised if we were to see similar action taken against other providers in the future, especially in situations where additional areas of noncompliance are discovered following an OCR investigation.”
State Laws Vary
It is important to understand the distinction between federal and state notification requirements, says Brian Lapidus, managing director for identity theft and breach notification with the fraud consulting firm Kroll in Nashville, TN. The definition of “timely” notification varies from state to state, he says. For example, Connecticut requires notification within 90 days, but Florida sets notification within 30. California states notification must occur “within the most expedient time possible and without unreasonable delay.”
“Notification can be a juggling act for organizations, because the process of conducting a thorough investigation to identify all affected individuals is critical and often takes time,” Lapidus says. “The timing of notification is a big issue for any organization because releasing incorrect information about a breach can create needless anger, worry, and fear, and in healthcare can be even more critical given the type of information stored.”
A plan is not enough. Kroll encourages organizations to regularly review, update, and drill their plans. These exercises help identify security gaps, address employee training needs, strengthen communication structures, and adapt plans to ever-changing nature of cyber threats. By conducting drills, organizations should give themselves a better chance to respond to breaches effectively and meet notification timing requirements.
Aside from the specific violation of the notification rule, the settlement also signals that OCR expects more of healthcare providers. Failure to understand the requirements will be accepted as an excuse less often, he says.
“I think as data breaches continue to occur and evolve, the expectation that an organization is prepared ahead of time and be able to demonstrate movement and notification efficiently and in a reasonable amount of time will be the expected norm,” Lapidus says. “That said, every breach is different; it often takes time to understand what happened and to determine next steps.”
Lapidus says the lessons in the Presence case include more than just reporting in a timely manner.
“The key lessons are to take proactive incident response planning measures and define the necessary internal roles and responsibilities determined before a breach occurs to help increase the chances of a timely investigation and notification,” he says. “And remember, a breach can involve one individual to millions of personal records, so organizations need to plan ahead for a range of scenarios.”
- Denise Bloch, JD, Sandberg Phoenix & von Gontard, St. Louis. Telephone: (314) 425-4909. Email: firstname.lastname@example.org.
- Jeff Drummond, JD, Jackson Walker, Dallas. Telephone: (214) 953-5781. Email: email@example.com.
- Kelli Fleming, JD, Burr & Forman, Birmingham, AL. Telephone: (205 458-5429. Email: firstname.lastname@example.org.
- Stacey Gulick, JD, Partner, Garfunkel Wild, Great Neck, NY. Telephone: (516) 393-2264. Email: email@example.com.
- Kristin Jones, JD, Stradley Ronon, Malvern, PA. Telephone: (484)323-1355. Email: firstname.lastname@example.org.
- Brian Lapidus, Senior Vice President, Kroll, Nashville, TN. Telephone: (615) 577-6770. Email: email@example.com.