HIPAA Breach Notification Failure Leads to $2.175 Million Settlement | Practical Law

HIPAA Breach Notification Failure Leads to $2.175 Million Settlement | Practical Law

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced that a Virginia-based network of health providers must pay $2.175 million to settle alleged privacy and breach notification violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The health providers, which comprise an affiliated covered entity under HIPAA, must also complete a two-year corrective action plan under which they must revise and distribute their breach notification procedures and submit to HHS oversight concerning breach risk assessments.

HIPAA Breach Notification Failure Leads to $2.175 Million Settlement

Practical Law Legal Update w-023-0249 (Approx. 5 pages)

HIPAA Breach Notification Failure Leads to $2.175 Million Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 27 Nov 2019USA (National/Federal)
The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced that a Virginia-based network of health providers must pay $2.175 million to settle alleged privacy and breach notification violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The health providers, which comprise an affiliated covered entity under HIPAA, must also complete a two-year corrective action plan under which they must revise and distribute their breach notification procedures and submit to HHS oversight concerning breach risk assessments.
On November 27, 2019, HHS's Office for Civil Rights announced that a Virginia-based network of health providers – comprising an affiliated covered entity under HIPAA – will pay $2.175 million to settle alleged violations of HIPAA's privacy and breach notification rules (see Practice Note, HIPAA Privacy Rule: Affiliated Covered Entities and HIPAA Privacy, Security, and Breach Notification Toolkit). The hospital network includes 10 hospitals with more than 300 sites of care.

Providers Underreported Extent of Breach Incident

The enforcement action resulted from a complaint alleging that the health providers sent a bill to a patient containing another patient's protected health information (PHI). Further investigation revealed that, because of a mailing label error, the PHI of more than 575 patients was sent to the wrong addresses. According to an HHS press release, the PHI included the individuals' names, account numbers, and dates of service.
Although the health providers notified HHS of the breach, their notification significantly underreported the extent of the incident. Under the mistaken belief that HIPAA breach notification is not required unless a disclosure includes patient diagnosis, treatment information, or other medical information, the providers reported to HHS that the breach had only affected eight individuals (see Practice Note, HIPAA Breach Notification Rules: What Is a Breach Requiring Notification). Moreover, the providers declined to furnish a full breach notification even after HHS expressly advised them of their duty to so. The providers also failed to enter into business associate agreements with related entities that performed services for them involving the receipt, maintenance, and disclosure of PHI (see Standard Document, HIPAA Business Associate Agreement).

$2.175 Million Payment and Corrective Action Plan

In addition to the $2.175 million payment, the health providers must comply with a corrective action plan (CAP) requiring them to, among other requirements:
  • Develop, review, and revise, as necessary, their written policies and procedures concerning HIPAA's breach notification requirements (see Practice Note, HIPAA Breach Notification Rules).
  • Submit their revised policies and procedures to HHS for review and approval at least annually.
  • Distribute the revised policies and procedures to:
    • all workforce members within 60 days of receiving HHS approval; and
    • new workforce members within 30 days of when they start work.
  • Promptly investigate any report of unauthorized disclosures of PHI and notify HHS in writing within 15 days of determining that an unlawful breach did not occur (which must be within 60 days of when the providers learn of a potential breach).
  • Provide HHS with several reports summarizing their implementation of the CAP.
  • Review and update their HIPAA breach notification training materials (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).
  • Submit to two years of monitoring by HHS.

Practical Impact

Under HITECH Act requirements enacted more than a decade ago and later addressed in implementing regulations, HIPAA covered entities and business associates must comply with extensive breach notification requirements involving unsecured PHI. These requirements include detailed rules concerning when, how, and to whom breach notification must be provided – along with specific content requirements for the notification (see Practice Note, HIPAA Breach Notification Rules and Standard Document, HIPAA Breach Notification Letter to Plan Participants and Other Individuals). It's possible – perhaps even likely – that the $2.175 settlement amount imposed here would have been significantly less if the health providers had heeded HHS's express recommendation to provide a complete breach notification.