HIPAA Privacy and Breach Notification Failures Lead to $2.175 Million Settlement

HHS’s Office for Civil Rights (OCR) has announced a $2,175,000 settlement with a group of hospitals for violations of the HIPAA privacy and breach notification rules. OCR opened an investigation after receiving a complaint that a patient’s bill included a different patient’s protected health information (PHI). OCR’s investigation determined that PHI of 577 patients had been improperly mailed to other individuals. The hospitals reported this incident as a breach affecting just eight individuals after concluding, incorrectly, that a reportable breach did not occur unless patient diagnosis, treatment information, or other medical information was disclosed. According to OCR, the hospitals persisted in their refusal to properly report the breach even after OCR advised them to do so. OCR also determined that the hospitals failed to have a business associate agreement in place with a related entity that created, received, maintained, disclosed, or transmitted PHI to perform services on the hospitals’ behalf.

In addition to the settlement payment, the hospitals agreed to a two-year corrective action plan (CAP). The CAP requires the hospitals to bring their breach notification policies and procedures into compliance with HIPAA and distribute the updated policies and procedures to workforce members. Furthermore, upon receiving information that an unauthorized acquisition, access, use, or disclosure of PHI has occurred, the hospitals must promptly evaluate whether the incident constitutes a reportable breach. If they conclude that breach notification is not required, they must send HHS a description of the incident, a copy of their breach risk assessment, and a description of actions taken and further steps to address the matter.

EBIA Comment: This resolution agreement reminds us that PHI is not limited to diagnostic, treatment, or other medical information and includes a broad range of other individually identifiable information used or disclosed in the provision of, or payment for, health care. This settlement also underscores the importance of conducting a thorough assessment to determine whether PHI has been compromised and breach notification is required. The nature and extent of PHI involved in an unauthorized disclosure is one factor in the assessment. Certain types of nonmedical PHI are highly sensitive and may weigh in favor of breach notification. Moreover, although this resolution agreement involved a health care provider, mailing mistakes are an unfortunate fact of life for health plans and TPAs as well, and this large settlement highlights the potential adverse consequences of misunderstanding the breach notification obligations stemming from these incidents. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXIV (“Business Associate Contracts”), and XXV.B (“Breach Notification for Unsecured PHI: What Constitutes a Breach?”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).

Contributing Editors: EBIA Staff.