Sixty Days Means … Sixty Days: Recent OCR Action Highlights the Need for Timely Breach Notification
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced a settlement based on a covered entity’s failure to meet the breach notification timeline requirements set forth in the Health Insurance Portability and Accountability Act of 1996 Breach Notification Rule (Rule). On January 9, 2017, the OCR announced that Presence Health Network agreed to settle the violations by paying $475,000 and implementing a corrective action plan. The settlement serves as an important reminder that once a breach is discovered, organizations must move expeditiously to notify affected individuals, the OCR, and, in some cases, the media.
Presence Health Network owns Presence St. Joseph Medical Center (Presence), a covered entity. On October 22, 2013, Presence discovered a breach involving the loss of paper operating room schedules containing 836 individuals’ protected health information. Below is a summary of each violation, the applicable rule, and a description of Presence’s actions following discovery – pay close attention to the dates!
1. Violation: Presence failed to provide timely written notification to affected individuals.
- Rule: Following discovery of a breach (regardless of the number of affected individuals), a covered entity must notify affected individuals without unreasonable delay, but in no event more than sixty (60) days after discovery of the breach.
- What Went Wrong: Presence notified affected individuals on February 3, 2014 – 104 calendar days after discovery.
2. Violation: Presence failed to provide timely written notification to the media.
- Rule: If the breach involves more than 500 individuals, the covered entity must provide media notification without unreasonable delay, but in no event more than sixty (60) days after discovery.
- What Went Wrong: Presence notified the media on February 5, 2014 – 106 calendar days after discovery.
3. Violation: Presence failed to provide timely notification to the OCR.
- Rule: A covered entity must notify the OCR of the breach, using the HHS web site. If the breach involves less than 500 affected individuals, notification must be made no later than sixty (60) days after the end of the calendar year. If the breach involves more than 500 individuals, notification must be made contemporaneously with the individual notice.
- What Went Wrong: The breach involved over 500 individuals. Presence notified the OCR on January 31, 2014 – 101 calendar days after discovery. Also note that the OCR notification was made before the individual notice.
The only exception to the above notification requirements is where a law enforcement official states that breach notification would impede a criminal investigation or cause damage to national security. This exception did not apply in the case of Presence. Presence stated that its lack of timely notification was “due to miscommunications between its workforce members.”
The OCR also noted that each day on which Presence failed to notify the individuals, the media, and the OCR constituted a separate violation and could have subjected Presence to civil monetary penalties. During its investigation the OCR also found that, in the case of previous breaches involving less than 500 individuals, Presence failed to provide timely notification to individuals.
Any breach response – large or small – takes time. Organizations must gather the list of affected individuals and contact information, implement mitigation steps (for example, engaging a credit report monitoring vendor), and draft the written notifications (which could involve multiple versions based on the affected population). This recent OCR action serves as a useful reminder that, following discovery of a breach, organizations must act quickly to not only investigate and mitigate the breach, but also provide breach notification within the required timelines.