HIPAA – Do you have $475,000 to spare? Timely Breach Notification
If you (or your organization) provide health care, it is likely that you are considered a "Covered Entity" and must comply with the federal privacy rule more commonly known as "HIPAA". One component of HIPAA requires covered entities to notify patients in a timely manner if the covered entity experiences a breach of patient data. Examples of a potential breach are discovering that an outside force hacked into your software system containing patient information; an employee opened an email and let loose "ransom ware" to infect your software system and all of your data; a laptop or other device containing patient data is lost or stolen; or, a disgruntled employee removed patient files or other information from your premises -- the list goes on.
If a breach occurs, a covered entity has 60 days from when the breach is discovered within which it must notify the affected patients that their protected health information may have been compromised, and the notice must contain other specific information. Also, in some circumstances, the media must also be notified. Failure to timely and properly notify affected patients will subject the covered entity to potential fines and other punitive action.
To drive this point home, on January 9, 2017, the agency charged with enforcement of HIPAA -- the U.S. Department of Health and Human Services Office of Civil Rights, or "OCR" -- announced the first HIPAA settlement based upon an organization's untimely reporting of a breach to its affected patients. The organization agreed to settle potential violations of HIPAA by paying $475,000 and implementing a corrective action plan. The OCR stated that the settlement balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.
If you are a covered entity, not understanding your obligations under HIPAA can result in catastrophic fines. Contact Janie M. Ratliff-Sweeney at the law firm of Hemmer DeFrank Wessels, PLLC to consult about HIPAA. Mrs. Ratliff-Sweeney's email address is firstname.lastname@example.org and her phone number is (859) 344-1188.