First HIPAA Settlement for a Late Breach Notice
On January 9, 2017, the Department of Health and Human Services announced the first HIPAA settlement based on a late breach notice. An Illinois health care network lost paper-based PHI of 836 individuals, and did not provide notice to them until 104 days after the breach was discovered. Media notice went out on day 106. HHS was notified 101 days after discovery. When HHS did an investigation, it found other smaller breaches where timely notice was not provided to individuals. Under the resolution agreement, the covered entity paid $475,000 and agreed to enter into a two year corrective action plan. The corrective action plan includes a number of requirements. For example, the covered entity must revise its policies and procedures regarding breach notification and workforce member sanctions, and also review its policies at least annually to see if they need updating.
The settlement reinforces the importance of having a written – and actionable – incident response plan. Having a written plan in place helps to organize and streamline the incident response process. Incident response players must have clarity on roles, responsibilities and authority during an incident. Without clear instructions and authorizations in place, personnel will respond inconsistently, creating both brand and legal risks to the organization. In particular, it is critical that the incident response plan establish clear communications protocols, including triggers for cross-functional coordination and escalation. Key personnel are unable to carry out their responsibilities if they are unaware of incidents that require their attention.
A common communications error is neglecting to engage the appropriate parties early enough in the incident process. The issue of late engagement frequently surfaces with respect to communications with the legal department. For example, if legal is not engaged early enough in the process, the risk for non-compliance with state or federal laws (e.g., breach notification requirements) increases, which can result in government investigations or litigation, like that of HHS. Having an incident response plan with clearly-defined triggers for when certain departments and players need to be informed of and engaged in the response process can help to mitigate the risk of running afoul of legal obligations like those in the instant case.