You’ll Pay for a Delay

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The Office for Civil Rights did not wait long into 2017 to issue its first settlement for a HIPAA related breach. The honor for Presence Health came only nine days into the year. The settlement, as so many before, provides a stark statement that delays in providing breach notification are unacceptable.

For background, Presence Health notified OCR about missing paper operating room schedules on January 31, 2014. However, Presence Health actually discovered the breach on October 22, 2013. Compounding the problem, Presence Health did not notify the individuals affected until February 3, 2014, and the local media until February 5, 2014. Both the individual and media notices occurred after notice to OCR. As always happens, OCR investigated Presence Health and found further issues of non-compliance. Specifically, OCR determined that Presence Health delayed breach notifications to individuals in multiple circumstances.

As would be expected, OCR did not take kindly to this pattern of behavior. OCR focused on the notice that lead to the investigation but clearly did not condone the delayed notifications. The non-compliance will cost Presence Health $475,000. In the grand scheme of settlements, this falls on the somewhat lighter side. A factor behind the amount could be that the October 22, 2013 breach impacted 836 individuals, which is not a big breach quantity wise. This does not touch upon the fact that any breach no matter what size carries serious implications for the impacted individuals.

Going forward, organizations must diligently investigate and determine whether a breach occurred and provide timely notification, where appropriate. Any delay will only result in higher costs to an organization. Namely, the cost of actually providing the notice could be compounded by a fine for sending the notice too late.

Another consequence of the settlement may be the inclusion of shorter notification terms within business associate agreements, whether from covered entity to business associate or business associate to subcontractor. Debates have arisen as to whether a double timeframe could apply, but rest assured that no one will wait to play with fire at this point.

Overall, the settlement should not impact organizations too much. It would already be a best practice to notify individuals of a breach as soon as possible because notification ties to trust with patients/customers. No organization wants to be seen as not taking privacy and security seriously. Bottom line, it is incumbent to fully understand all of HIPAA’s requirements and dutifully follow them.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.