Last week, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) took precedential steps against a Health Insurance Portability and Accountability Act (“HIPAA”) covered entity when, as part of a Resolution Agreement, it required payment of $450,000 by the Illinois-based health system Presence Health for failing to timely report a breach of protected health information in violation of the HIPAA Breach Notification Rule. Prior to the Presence Health enforcement action, HHS had never sought financial sanctions based solely on a delay in the report of a data breach, choosing, instead, to focus on constructive improvements to protect health information.
With respect to a breach of protected health information affecting 500 or more individuals, under the HIPAA Breach Notification Rule, a covered entity is required to notify the Secretary of the breach without unreasonable delay and in no case less than 60 days of discovery of the breach. For breaches affecting fewer than 500 individuals, a covered entity is required to notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered, though an entity may report it earlier, upon discovery of the breach. See 45 C.F.R. § 164.408.
Against the foregoing backdrop, Presence Health waited more than 60 days after discovery of the breach involving protected health information relating to 836 individuals. Due to its failure to timely report the incident, and despite the fact that the HHS had never previously issued any civil fines against any healthcare providers for failure to timely comply with the HIPAA notification mandate, in addition to the implementation of a corrective action plan, as part of the Resolution Agreement, HHS also required payment for violation of the Breach Notification Rule. By including, for the first time, a financial component in the Presence Health Resolution Agreement, HHS is putting all covered entities on notice that violations of the HIPAA Breach Notification Rule will not be resolved solely through agreement as to a corrective action plan, but also subject to financial penalties, with a view towards encouraging compliance and promoting greater transparency to individuals affected by a breach. The Resolution Agreement and Corrective Action Plan, which included, among other things, the implementation of compliant policies and procedures to ensure compliance with the Breach Notification Rule and annual employee training can be found here
Aside from the healthcare industry, depending upon the industry, type of company and nature of the breach, the responses and actions required under federal and state privacy laws vary. For example, with respect to federal law, under the Gramm-Leach-Bliley Act, financial institutions must notify their customers of a breach; the Sarbanes-Oxley Act and implementing regulations promulgated by the SEC have been interpreted as imposing reporting requirements on publicly traded companies in which they must notify their customers of a breach; health care providers and related entities (as indicated above) are subject to additional reporting requirements under HIPAA and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act; and businesses, in general, may also be subject to federal law relating to cybersecurity under the Federal Trade Commission Act, as well as a raft of other federal laws and regulations that organizations must be cognizant to ensure compliance in the event of discovery of a data breach that results in the unauthorized acquisition of personal identifying information or personal health information.
Moreover, notwithstanding movement in Congress to enact a national breach notification statute, there is currently no uniform law. Currently, 47 states have enacted breach notification statutes that are, generally, triggered if personal identifying information of residents in any given state is disclosed as a result of a cyber-breach. For national organization that means they are required to comply with 47 separate state-enacted breach notification statutes. Regional organizations, as well as mid-size and small organizations are required to comply with the breach notification statutes in those states in which their customers reside.
Irrespective of the industry or business, it is important that each organization identify and understand the breach notification statutes that might apply to them in the event they suffer a data breach that might trigger notification to affected individuals. To ensure corporate preparedness, identification and compliance analysis of relevant breach notification statutes should be included in each company’s incident response plan.