Loyola University Chicago School of Law, JD 2017
In an unprecedented act, the Office for Civil Rights (OCR) entered into a settlement agreement with Presence Health Network based on the healthcare system’s failure to timely report a breach of unsecured protected health information (PHI). Under the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) a covered entity must notify affected individuals, the Department of Health and Human Services (HHS), and the media for breaches affecting 500 people or more. Presence Health will pay $475,000 and implement a corrective action plan (CAP) to address misunderstandings in workforce member roles and responsibilities relating to the notification process.
Breach of PHI
Presence Health, a 150 location not-for-profit health care network in Illinois, discovered a breach of PHI when the staff at Presence St. Joseph Medical Center determined operating room schedules were missing. The paper document included PHI for 836 individuals including their names, dates of birth, dates and types of procedures, types of anesthesia used, and more. Though Presence Health discovered the breach on October 22, 2013, it notified the OCR 101 days later on January 31, 2014. Individuals affected by the breach of PHI were not notified until February 3, 2014. Two days later, Presence Health contacted the media to notify them of the breach. The OCR investigated the incident and discovered Presence Health failed to provide timely notification to individuals with compromised PHI on numerous other occasions.
Breach Notification Rule Violations
The Breach Notification Rule (45 C.F.R. Part 164.400-414) requires a covered entity to notify every individual affected by a breach of PHI without unreasonable delay. The notification must occur no later than 60 calendar days after the breach is discovered. As the OCR learned, Presence Health did not notify affected individuals until 104 calendar days after discovery. When breaches affect more than 500 people, HHS must also be notified without unreasonable delay within 60 days of discovery. Though HHS was the first to be notified, the notification occurred 101 days after the breach was discovered. In addition to notifying individuals and HHS, a covered entity must also notify a prominent media outlet in the entity’s state or jurisdiction when 500 or more individuals are affected. The October breach affected 836 individuals and Presence Health notified media outlets on February 5, 2014, 106 days after it was discovered. The substantially delayed notification for individuals, HHS, and the media resulted in separate violations of the Breach Notification Rule for every day Presence Health failed to notify them.
In lieu of formal proceedings, HHS and Presence Health entered into a Resolution Agreement, which included a $475,000 resolution amount and a corrective action plan. The OCR’s emphasis on encouraging timely breach reporting, may explain the considerably low resolution amount in comparison to 2016’s $2 million average for settlement agreements. The two year CAP requires Presence Health to revise existing policies and procedures, distribute the HHS approved policies and procedures to all staff within 30 days, train all employees using HSS approved training materials, and abide by the one-year reporting period regarding compliance with the CAP.
The policies and procedures section of the CAP specifically addresses the miscommunication between workforce members that Presence Health claims was the reason for the delay in sending notifications to the appropriate individuals and organizations. The CAP requires Presence Health to implement several measures for its workforce throughout the reporting process to prevent similar situations from occurring in the future. Presence Health’s current policies and procedures need to be revised to “more explicitly delineate its workforce members’ roles and responsibilities.” HHS emphasized the areas related to receiving and addressing both internal and external reports of potential breaches, completing risk assessments to ascertain whether PHI was compromised, and preparing notifications for affected individuals, HHS, and the media in situations where 500 or more individuals were affected without unreasonable delay and no later than 60 days. Furthermore, existing policies and procedures regarding discipline for the workforce must be updated to provide appropriate sanctions for failure to comply with the policies and procedures related to the Breach Notification Rule.
Protective Measures for Covered Entities Going Forward
Covered entities should take this opportunity to reassess their current policies and procedures regarding breach notification with a focus on the roles of workforce members for each step of the process. The enforcement action against Presence Health is the first of its kind for untimely breach notification, but it will not be the last. Despite the relatively low penalty amount, an investigation by HHS would be costly and time consuming for any organization, while updating policies and procedures is a much simpler solution and demonstrates an entity’s concern for protecting its consumers.
Breach notification policies and procedures must detail the role and responsibilities of each individual in the process, from reporting possible breaches, to investigating, and notifying the appropriate individuals without undue delay by the 60-day deadline. Each individual in the organization is responsible for reporting a breach and should be trained on how to report them. A risk assessment should occur promptly after a report has been made to determine whether PHI has or has not been compromised. HHS guidance on the Breach Notification Rule states the assessment should consider the nature and extent of PHI involved, who the disclosure was made to or used by, whether the information was actually acquired or viewed, and the extent of any risk mitigation.
As to notification, covered entities must notify the individual, HHS, and the media in certain circumstances without reasonable delay and no later than 60 days. All affected individuals must be notified of the breach by first class mail, or e-mail if they consented to such communication, and provided with a brief description of the breach, the type of information involved, the steps they should take to protect themselves, contact information for the covered entity, a brief description of the covered entity’s investigation, and any actions taken to mitigate harm and prevent future breaches. If the breach involves more than 500 individuals, a covered entity must notify both HHS and a prominent media outlet for that jurisdiction without undue delay and include the same information provided to affected individuals. If a breach involves less than 500 people the media does not need to be notified, but the covered entity must disclose the information at the end of the calendar year to HHS using the breach report form.
Even with a current breach notification policy or procedure, a covered entity could assuage concerns of a lengthy OCR investigation by reviewing its policies and procedures to determine whether they need to designate specific workforce members for each aspect of the notification process or add more detail regarding the responsibilities under each role.