Most healthcare providers are aware that they are required to take steps to secure the health information of their patients under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While most providers ensure that their staff use their best efforts to ensure that all patient health information (“PHI”) is protected in accordance with HIPAA, there are unfortunately some instances in which even the best precautions fail to prevent the unauthorized release of this information. In the event of a breach, HIPAA and the associated Health Information Technology for Economic and Clinical Health Act (“HITECH”) mandate that a report of the breach be submitted to governmental authorities. Presently, providers should be aware that to the extent any breach of PHI was discovered during calendar year 2018, the breach must be reported to the Secretary of the Department of Health and Human Services no later than March 1, 2019.
As per HIPAA, PHI is defined as “any information about health status, provision of health care, or payment for health care that is created or collected by a health care provider.” In conjunction with updates to the HIPAA Privacy Rule enacted in 2013, HITECH made certain additions to the HIPAA Privacy Rule and imposed obligations on covered entities with respect to reporting “breaches” of protected health information to government authorities. Under HIPAA and HITECH, a “breach” is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
Oversight and enforcement of HIPAA compliance is vested in the Office for Civil Rights (“OCR”), a division of the United States Department of Health & Human Services. In all cases, covered entities must notify and provide certain information to affected individuals that their PHI was breached without unreasonable delay, and in no event later than 60 days following discovery of the breach. This may be accomplished via first class mail or, in the alternative, by email if the patient has consented to receiving electronic notices from the covered entity. Alternative steps must be taken in the event that a covered entity finds it has contact information for ten or more affected patients which is out of date.
In the case of a breach affecting 500 or more residents of a State or jurisdiction, a covered entity is also required to give notice to “prominent media outlets” serving the State or jurisdiction. This is most commonly accomplished by a press release from the covered entity. As with the individual notices, the media notice must be provided without unreasonable delay, and in no event later than 60 days following the discovery of the breach. The media notice must include the same information provided in the individual notices.
Finally, a covered entity must give notice to the Secretary of Health and Human Services using the portal on the OCR website at HHS.gov. For breaches affecting 500 or more patients, the time period in which the report must be made is the same as for the individual and media notices: no later than 60 days after discovery of the breach. For breaches involving less than 500 individuals however, notice must be given within 60 days of the end of the calendar year in which the breach was discovered. As noted above, any provider who is aware of a breach during 2018 but fails to report the breach to the Secretary prior to March 1, 2019 risks becoming the subject of civil or even criminal penalties under HIPAA.
In the event that provider(s) require assistance in identifying or reporting a HIPAA breach, it is recommended that they consult with a knowledgeable attorney regarding the scope of their reporting obligations.
Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a New York law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.
ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.