When someone thinks he or she may have made a mistake, their first instinct might be to keep quiet about it and hope that it’s not really a problem.  That's the wrong instinct when dealing with protected health information of others (PHI) that is subject to HIPAA’s Breach Notification Rule.

The US Department of Health and Human Services’s Office of Civil Rights (OCR) gave important insights into the human dimensions of the response to a data breach involving protected health information in a recent settlement agreement.  This was the first time that the OCR has fined a company for being too slow to notify patients and others that their information had been compromised.

Dragging your feet can be costly

Somebody at Presence St. Joseph Medical Center in Joliet, Illinois, misplaced “paper-based” operating room schedules which contained the protected health information of 836 patients.  The loss was discovered on October 22, 2013.  The Breach Notification Rule requires that patients be notified of a breach “without unreasonable delay but in no case later than 60 calendar days after discovery of a breach.”  If 500 or more individuals are involved, local media and the Department of Health and Human Services must be notified at the same time. Presence St. Joseph notified HHS on the 101st day after discovery, the patients on the 104th day after the discovery and the media on the 106th day after the discovery.

In its press release, the Medical Center stated, “Upon discovering the missing information, the surgery center initiated an investigation and attempted to recover the schedules.  Given the fact we can’t find it at this time and haven’t recovered it, it’s important to notify our patients.”  In assessing the $475,000 fine, OCR counted each day that notice to each of the three groups was late.  This resulted in triple fines for days 61 through 101 of the undisclosed breach and double fines for the next three days.

Make breach reporting easy

A couple of comments in OCR’s press release and the settlement agreement itself hint at the internal dynamics that led to this result.

In its press release, OCR noted its “desire not to disincentive[iz]e breach reporting altogether.”  The Resolution Agreement itself required Presence St. Joseph to “more explicitly delineate its workforce members’ roles and responsibilities with respect to: (a) receiving and addressing internal reports made by workforce members of potential breaches of unsecured PHI; [and] (c) completing risk assessments of potential breaches of unsecured PHI to determine the probability that the PHI has been compromised.”

Companies who are HIPAA covered entities or business associates should make clear to their employees that it is a duty to quickly report up into the organization any incident where patient information is misplaced, lost, stolen or potentially compromised even if they are concerned that they may have some role in the loss.  The company needs to know.  It has a strict deadline if the loss constitutes a breach.  If it does, the company has to notify the persons whose information has been compromised relatively quickly.  Once a concern has been raised, the company has a lot of work to do to determine what happened and who is affected.  Employees should have a clean frictionless line of communication to the company’s HIPAA security official so the process can get started.

Do you have a breach policy?

Under the Breach Notification Rule, discovery dates from the time an employee “other than the person committing the breach” finds out about it. 45 CFR §164.404(a)(2).  The problem is that the words “commit” and “breach” are both legal conclusions which may not be clear until many days, weeks or months after the information has gotten loose.  For practical purposes, the company must start the stop watch on notification when the first employee finds out.

The recent OCR settlement is a good occasion to check our own Breach Notification Policies and see how much of this is “explicitly delineated.”