The deadline for covered entities (i.e., health plans) to file their annual HIPAA breach reports with the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) is fast approaching. Breaches of protected health information (PHI) involving 500 or more individuals must be reported no later than 60 calendar days from the discovery date. However, PHI breaches involving less than 500 individuals can be documented throughout the course of the year and submitted 60 days after the end of the respective calendar year (although notifications for individuals impacted by those data breaches cannot be delayed). This means that covered entities have until March 1, 2018 to fulfill their 2017 HIPAA breach reporting obligations. As background, HHS issued the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) to implement the requirements of HIPAA and establish a set of national standards for the protection of PHI by covered entities. The Privacy Rule also establishes standards for individuals’ privacy rights to understand and control how their health information is used. A data breach is defined as an acquisition, access, use, or disclosure of unsecured protected health information (PHI) that is not permitted by the Privacy Rule. Unsecured PHI is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology. HIPAA Policies and Procedures To prevent a HIPAA data breach and mitigate its impact should a breach occur, covered entities should (and are required by HHS) develop and implement policies and procedures (the “Policies and Procedures”) that are consistent with the HIPAA Privacy Rule and provide a roadmap for permissible uses and disclosures of PHI. Self-insured health plans must implement Policies and Procedures that include the following information (in addition to other legally-required details):
- Restrictions to access and uses of PHI based upon the specific roles of the workforce members;
- Limitation on the uses and disclosures of PHI to the minimum amount necessary needed to accomplish the use, disclosure, or request;
- Methods for mitigating, to the extent practicable, any harmful effect caused by the use or disclosure of PHI by its workforce in violation of the Privacy Rule; and
- Designation of a privacy official responsible for developing and implementing its privacy policies and procedures and a contact person responsible for receiving complaints on the covered entity’s privacy practices
Covered entities must have clear policies and procedures in place to timely respond to PHI breach notification requirements, and they must provide ongoing Policies and Procedures training for workforce member as necessary for them to carry out their functions. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (regardless of whether they are paid by the entity). A covered entity must have and apply appropriate sanctions against workforce members who violate its Policies and Procedures. HIPAA Penalties Penalties for HIPAA violations are expensive and can be issued by both the OCR and state attorneys general. Generally, penalties for HIPAA violations are based upon the level of negligence and range from $100 - $50,000 per violation (or per record) up to $1.5 million per year. In addition to financial penalties, OCR may require a covered entity to adopt a corrective action plan to bring Policies and Procedures up to the standards demanded by HIPAA. In January 2017, OCR initiated an enforcement action against a health care provider, Presence Health (“Presence”), for failure to timely report a breach of unsecured PHI that involved 836 individuals. Ultimately, Presence agreed to pay $475,000 for such failure proving that ignoring the deadline for reporting breaches or unnecessarily delaying breach reports is a HIPAA violation that will not be ignored.