HIPAA Compliance News

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.

Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.

In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.

The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.

There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.

Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.

Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.

Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.

As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.

Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.

The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.

IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.

HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.

Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.

“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”

The post The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit appeared first on HIPAA Journal.

OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data

The Department of Health and Human Services’ Office for Civil Rights has launched a new campaign to raise awareness of patients’ right to access their health information and the benefits of doing so.

The “Information is Powerful Medicine” campaign informs patients that they have the right to obtain copies of their health data and tells them to “Get it. Check it. Use it.”

The benefits to patients are clear. If they obtain copies of the health information they can check their medical records for errors and correct any mistakes. Having access to health data helps patients to make better decisions about their health care and discuss their health more fully with their providers. Armed with their health data, patients can do more to stay healthy.

Patients are advised that the HIPAA Privacy Rule allows them to obtain a physical or electronic copy of their health data and that their provider should provide the information as requested within 30 days. It has been explained that they may be charged a nominal fee for obtaining a copy of their health data. Patients are also informed that copies of their health data cannot be denied by their providers, even if there is a medical bill outstanding.

Healthcare providers should encourage their patients to take greater interest in their own healthcare and obtain copies of their health records. OCR has produced a range of resources for healthcare providers to use to achieve this aim, including brochures, web banners, and posters.

The OCR resources can be accessed on this link: HIPAA Right to Access Health Information.

Healthcare providers should make it as easy as possible for patients to request copies of their health data. To make the process as easy as possible, consider using the model PHI request form developed by AHIMA. The form helps healthcare providers streamline the request process and ensure all necessary information is obtained from patients.

The post OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data appeared first on HIPAA Journal.

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document.

Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare.

OCR has explained that the HIPAA Privacy Rule was carefully created to ensure that in emergency situations, healthcare organizations can protect the privacy of patients and still share individually identifiable health information.

OCR also reconfirmed that even in emergency situations, the HIPAA Security Rule is not suspended and preparation for emergencies is essential. HIPAA-covered entities and business associates are required to implement strategies to ensure ePHI remains secured at all times and the confidentiality, integrity, and availability of ePHI is not placed in jeopardy. During and after an emergency, ePHI must be accessible, which means covered entities must plan for all eventualities to ensure patient health information can always be accessed.

OCR explained that the HIPAA Security Rule – § 164.308(a)(7) – requires contingency plans to include a data backup plan, disaster recovery plan, and emergency mode operation plan. These are all required elements of the HIPAA Security Rule.

The data backup plan must ensure retrievable, exact copies of electronic protected health information are created and maintained. The disaster recovery plan must ensure any data lost during a natural disaster or emergency can be recovered from backups. Procedures must be established, and implemented as necessary, to ensure data can be quickly recovered. During emergency mode, security processes to protect ePHI must be maintained, even during power outages and technical failures.

Further, there are two addressable requirements: testing and revision procedures and application and data criticality analysis. Covered entities should periodically test their contingency plans and revise them as necessary to ensure they continue to be effective in an emergency situation. Covered entities should also identify software applications that store, maintain or transmit ePHI, and assess how important each is to business needs. Priorities must be set for data backup, emergency operations, and disaster recovery.

OCR has drawn attention to an interactive decision tool on the HHS website that has been developed to help healthcare organizations prepare for the worst and find out how HIPAA Rules apply in emergency situations. OCR explains, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”

While the reminders have been issued specifically to help covered entities prepare for when hurricane Irma makes landfall, even covered entities unlikely to be affected must ensure they are prepared for the worst.

The post OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters appeared first on HIPAA Journal.

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations of the dangers of failing to follow HIPAA Rules.

When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules.

At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”

Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA Rules. Severino said, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”

Severino also explained that the number of complaints OCR is now receiving is colossal. More than 20,000 complaints about security incidents and privacy violations are received each year. OCR has many staff issuing technical assistance to help covered entities with their compliance programs.  The goal is to significantly reduce the number of complaints and enjoy a “culture of compliance” throughout the country.

The majority of HIPAA violations are resolved through technical assistance and voluntary compliance, but financial penalties are appropriate for egregious breaches of HIPAA Rules.

Already this year, OCR has agreed eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty:

2017 HIPAA Enforcement Actions

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty)
  • Cardionet – $2.5 million
  • Memorial Hermann Health System (MHHS) – $2.4 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000
  • Metro Community Provider Network – $400,000
  • Luke’s-Roosevelt Hospital Center Inc. – $387,000
  • The Center for Children’s Digestive Health – $31,000

The largest HIPAA settlement of 2017 was agreed with Memorial Healthcare System – a health system consisting of 6 hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.  The settlement underscored the importance of audit controls and the need to carefully control who has access to the ePHI.

The second largest HIPAA settlement of 2017 was for $2.5 million and resolved multiple potential violations of HIPAA Rules that contributed to a breach of 1,391 patient records. The incident involved the theft of an unencrypted laptop computer from healthcare services provider Cardionet. The settlement underscored the importance of conducting a comprehensive risk assessment and of addressing vulnerabilities to the confidentiality of ePHI.

In May, OCR announced a $2.4 million settlement with Memorial Hermann Health System. The settlement resolved HIPAA violations discovered during the investigation of an impermissible disclosure of a patient’s ePHI in a press release and during subsequent meetings with advocacy groups and state representatives.

In January, a $2.2 million settlement was agreed with MAPFRE Life Insurance Company of Puerto Rico. The incident that triggered the investigation involved the theft of an unencrypted pen drive containing the PHI of 2,209 individuals. The investigation revealed multiple violations of HIPAA Rules including the failure to conduct a thorough and accurate risk assessment, the failure to implement a security awareness training program, the failure to encrypt ePHI and the failure to implement appropriate policies to safeguard ePHI.

The civil monetary penalty against Children’s Medical Center of Dallas was issued for the impermissible disclosure of ePHI and multiple failures to comply with the HIPAA Security Rule over several years. The settlement resolves HIPAA failures that contributed to a breach of 3,800 records involving the loss of an unencrypted Blackberry device in 2009 and the loss of an unencrypted laptop containing 2,462 records in 2013.

There has been a period of quiet on the enforcement front over the summer, with the last settlement announced in May. The fall is likely to see more settlements announced and this year looks on track to be another record year for HIPAA enforcement. The big, juicy egregious breach that OCR is looking for may prove to be the largest HIPAA penalty yet.

The post OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017 appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

Want to Prevent Data Breaches? Time to Go Back to Basics

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes.

Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors.

The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge.

The blog posts are an ideal starting point to ensure all the security basics are covered.  They cover 10 basic security principles the FTC looks at when investigating complaint and data breaches. The blog posts use examples from FTC cases and 60+ complaints and orders, including settlements reached with organizations that have failed to implement appropriate security controls. The FTC has also listened to the challenges faced by businesses when attempting to secure sensitive information and offers practical tips to address those challenges.

While the FTC has taken action against organizations, in the majority of cases investigations have been closed without any further action necessary. Companies may have experienced data breaches, yet they got the basics right and had implemented reasonable data security controls. They may not have been enough to prevent cyberattacks and other security incidents, but they were sufficient to avoid a financial penalty.

The same applies to Office for Civil Rights investigations into HIPAA data breaches. OCR investigates all breaches of more than 500 records, yet only a very small percentage of the 2,000+ data breaches reported to OCR have resulted in a financial penalty. If you want to avoid a FTC or HIPAA fine, it is essential to get the basics right. Getting the basics wrong can prove very costly indeed.

The FTC blog services covers the following aspects of data security:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The blog posts have been combined into the FTC’s Start with Security brochure, which is a “nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.” The blog posts and brochure can be viewed on this link.

HIPAA-covered entities should also sign up with OCRs cybersecurity newsletter, which details new threats and further steps that covered entities should take to improve security and keep ePHI secure. To sign up for the newsletter, visit this link and be sure to check out the Security Rule guidance material published by HHS.

The post Want to Prevent Data Breaches? Time to Go Back to Basics appeared first on HIPAA Journal.

Delaying Breach Notifications is a Violation of the Breach Notification Rule

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities to notify the HHS’ Office for Civil Rights of a breach of unsecured protected health information and send notification letters to affected individuals without unreasonable delay and no later than 60 days after the discovery of the breach.

As last year’s monthly Breach Barometer reports from Protenus have shown, many covered entities have struggled to comply with the HIPAA Breach Notification Rule and have disclosed their breaches to OCR after the deadline has passed.

This year has seen a major improvement in reporting times. The Protenus 2017 Breach Barometer Mid-Year Review shows that between January and June, it took an average of 54.5 days from the discovery of a breach to notify OCR.

A look back at the Breach Barometer report for January shows just how much the situation has improved. In January, there were 31 data breaches disclosed. 40% of those breaches were reported later than the 60-day deadline.

The improvement in breach reporting time is likely due, in part, to the decision by OCR to enter into a settlement agreement with a covered entity for unnecessarily delaying the issuing of a breach report. In January, Presense Health agreed to a $475,000 settlement after delaying the issuing of breach notifications to patients/OCR.

A look at the breach notification letters sent to breach victims by covered entities shows many healthcare organizations are delaying sending notifications until the deadline approaches. It is extremely common for breach notification letters to be sent just a few days before the 60-day deadline is reached.

There are often reasons for delaying the issuing of notifications. Law enforcement may request the issuing of notifications be delayed so as not to interfere with a criminal investigation of the breach. Covered entity may not have all the facts about the breach, or it may not be apparent which individuals have been affected and need to be notified.

However, when affected individuals have been identified, breach notification letters should be sent as soon as possible. Even if notification letters are sent inside the 60-day deadline, a covered entity can still be in violation of the Breach Notification Rule.

At the Allscripts user conference in Chicago, Deven McGraw, deputy director for health information privacy for the HHS Office for Civil Rights, explained that the Breach Notification Rule sets a deadline of 60 days to report a breach and notify patients, but that is not a recommendation. She explained that the HIPAA Breach Notification Rule clearly states notice of a breach must be provided “without unreasonable delay”.

McGraw said, “You can be in violation of HIPAA Rules if you are sitting on your notification, waiting for those 60 days.”

No organization wants to have to notify patients or health plan members that their protected health information has been exposed or stolen, but it is essential that notifications are issued promptly to reduce the harm caused.

Back in January, then OCR Director Jocelyn Samuels explained the reason why breach notifications must be issued promptly when the settlement with Presense Health was announced. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The more an organization delays the sending of breach notifications, the greater the potential for patients and plan members to suffer financial losses as a result of the breach.

The post Delaying Breach Notifications is a Violation of the Breach Notification Rule appeared first on HIPAA Journal.