To ring in 2017, OCR announced its first HIPAA settlement based on late reporting of a data breach. Presence Health, a health system in Illinois with multiple locations (150 sites, including 11 hospitals and 27 long term care and senior living facilities), reported a data breach in 2014 about 100 days after it occurred. The breach: paper records gone missing from an OR at one of its facilities, including PHI on over 800 patients: patient names, dates of birth, medical record numbers, procedure dates and types, surgeon names and anesthesia types. The rules require notification “without unreasonable delay” and within 60 days to patients and to OCR and to local press, given the scope of the breach (over 500 patient records). Presence agreed to a $475,000 fine and a corrective action plan involving revision of policies and procedures and training of staff.
This case is notable because it is the first reported case of its kind. OCR has not previously taken action against a covered entity triggered by delay in notifying patients or others of a breach. OCR has taken the “slow but steady” approach, working with the regulated community with a focus on education in addition to enforcement. Numerous OCR guidance documents (including the guidance on breach notification) have been published, on various topics, and the announcement of this settlement now puts the regulated community on notice that this often-discounted deadline is, in fact, a hard and fast deadline — unless of course it is extended per instructions from a law enforcement official (see 45 CFR 164.412).
It is always worth noting that concerns about health data privacy and security do not begin and end with HIPAA. Some health data, and some custodians and users of health data, are not subject to HIPAA, but are instead subject to state laws or other federal laws. Some situations are governed by HIPAA and other law as well.
For example, Federal Trade Commission considerations should be top of mind for health care providers and businesses dealing with health data.
Current events remind us that publicly traded enterprises dealing with personal data are subject to additional requirements regarding breach notification.
Yahoo is reportedly under investigation by the SEC for the two-year delay in its reporting of a security breach that involved the compromise of hundreds of millions of user accounts (and a three-year delay in reporting another breach). From the SEC perspective, the key issues are whether the breach is “material” to the company’s business (after all, the bad guys are hacking, or attempting to hack, any business worth its salt at any given time) and, if so, whether failure to disclose the breach allowed insiders to profit before the breach was more widely known (whether due to trades or due to the effect the withholding of information had on the negotiations with Verizon regarding its proposed acquisition of Yahoo). Consider the ramificaitons if a publicly-traded company had delayed reporting of a material data breach to both the OCR and the SEC. Thus far, the SEC has not taken action against a publicly traded company for failing to timely disclose a breach.
There’s a first time for everything.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting