AMARILLO, TX – Under HIPAA’s basic privacy requirement, covered entities and their business associates may not use or disclose an individual’s protected health information (“PHI”) except with the individual’s consent or as otherwise permitted by HIPAA. A Medicare-enrolled DME supplier, that is required to submit claims electronically, is a covered entity.
Civil fines for HIPAA violations can range between $100 per violation (with an annual maximum of $25,000 for repeat violations) to $50,000 per violation (with an annual maximum of $1.5 million). Criminal liability may be imposed on covered entities and other individuals who “knowingly” obtain or disclose identifiable PHI in violation of privacy laws.
Punishment for violation of criminal statutes include fines up to $50,000 and imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased up to a $100,000 fine and imprisonment up to five years. Offenses committed with the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment for up to ten years. In addition, some covered entities may also be excluded from participation in Medicare.
No Private Cause of Action
HIPAA does not create a private cause of action for aggrieved individuals. In other words, an individual who is affected by a HIPAA violation cannot bring suit against the offender under HIPAA.1 Rather, HIPAA is enforced by the Office of Civil Rights (“OCR”) and CMS.
HIPAA requires covered entities to notify individuals when their unsecured PHI has been breached.2 All breach notifications must be made without unreasonable delay, and in no circumstance more than sixty days after the breach is discovered, unless a law enforcement official determines that notification would impede a criminal investigation or damage national security. A breach is considered discovered on the first day such breach is known or reasonably should have been known to the covered entity, including any employees, officers, or agents.
HIPAA also requires covered entities to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure of the individual’s PHI. Factors to be considered include: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed and; (iv) the extent to which the risk to the PHI has been mitigated.
If, after performing the risk assessment, a covered entity determines that there is a low probability that the PHI has been compromised, no notification is required. Otherwise, notification of individuals by the covered entity is required. Various methods of notification exist, depending on the number and location of individuals whose PHI has been breached.
Actual Written Notice
Actual written notification must be provided to the individuals affected by the breach, as well as substitute notice to the individual if the individual’s contact information is insufficient or out-of-date. Notification must be provided by first class mail or email. Email is only permissible if the individual has agreed to receive electronic notice. If the affected individual is deceased, notification must be sent to the individual’s next of kin or personal representative if the covered entity knows that the individual is deceased and has the address of the next of kin or personal representative.
Written notifications must be written in plain language and must include the following:
1) A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;
2) A description of the types of unsecured PHI that were involved (i.e. full name, Social Security number, date of birth, etc.);
3) Any steps individuals should take to protect themselves from potential harm resulting from the breach;
4) A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and protect against any further breaches; and
5) Contact procedures for individuals to ask questions and obtain additional information, which must include a toll-free telephone number, an email address, website, or postal address.
If the covered entity does not have sufficient contact information for some or all of the affected individuals or if some notifications are returned as undeliverable, the covered entity must provide substitute notice as soon as reasonably possible after the covered entity is aware that it does not have sufficient contact information. The type of substitute notice depends on the number of individuals the covered entity is unable to contact.
If fewer than ten individuals cannot be reached through actual written notice, the covered entity must provide substitute notice through alternative forms of written communication, telephone, email, a posting of notice on the covered entity’s website, or other similar means.
If ten or more individuals cannot be reached via actual written notice, the covered entity must provide substitute notice through either a conspicuous posting on the covered entity’s web site home page for ninety days or conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. These substitute notices must be reasonably calculated to reach the affected individuals. Additionally, the covered entity must set up a toll-free telephone number, active for ninety days, where individuals can determine if his or her PHI was included in the breach. This toll-free number must be included in the substitute notice.
In cases where the covered entity determines there is imminent danger that the unsecured PHI will be misused, notice by telephone or other means may be made, in addition to the written notice required.
Notification to the Media
If 500 or more individuals in any one state or jurisdiction are affected by a breach, in addition to providing written notice as described above, a covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case more than sixty days after the breach was or reasonably could have been discovered. The notification to the media must include the same information as required in the actual written notice.
Notification to DHHS
If more than 500 individuals are affected by a breach, the covered entity must notify DHHS of the breach without unreasonable delay but in no case more than sixty days after the breach is discovered. The notification to DHHS must be provided if more than 500 individuals are affected, regardless of whether the individuals are residents of a particular state or jurisdiction (unlike the notification to the media standard). Information regarding the manner of reporting breaches may be found on the DHHS website. The DHHS website will maintain a list of covered entities that submit reports of breaches involving more than 500 individuals.
If fewer than 500 individuals are affected by a breach, immediate notification does not need to be made to DHHS. However, the covered entity must maintain a log or otherwise document the breach and submit the information annually. The information must be submitted to DHHS no more than sixty days after the end of a calendar year. Again, information on the manner of reporting breaches may be found on the DHHS website.
If the covered entity suspects a data breach, then it should take remedial steps to mitigate the effects of the suspected data breach and prevent future occurrences, as any breach discovery is also a HIPAA security incident that requires response and reporting. The covered entity’s analysis of its policies and procedures should include the following items:
1) Is there a system or procedure to discover breaches? Does this apply to both the covered entity and its business associates?
2) Has the entire workforce been trained on the need for prompt reporting of privacy and security breaches? Are meaningful sanctions or consequences applied for untimely reporting of breaches? Is documentation maintained of the training and the sanctions?
3) Is there a procedure in place to remediate the cause of the breach, if possible and demonstrate that it is not likely to re-occur?
Additionally, the covered entity should review its HIPAA forms, policies and procedures to ensure that each satisfies current regulatory requirements and that employees receive initial and refresher HIPAA training as often as necessary to build a culture of compliance.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. He represents pharmacies, HME companies, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization. He can be reached at (806) 345-6320 or firstname.lastname@example.org.