Billing Business Associate Exceeds Breach Notification Period by 7 Months

A payment processing Business Associate (BA) of North Shore-LIJ Health System – Global Care Delivery (GCD) – has reported the theft of five laptop computers; four of which are believed to have contained the Protected Health Information (PHI) of approximately 18,000 patients. The theft took place at GCD’s offices in Texas on or before September 2, 2014.

The data stored on the laptop computers was not encrypted, although the devices were protected by passwords. While passwords offer some degree of protection, they can be cracked. The Health Insurance Portability and Accountability Act (HIPAA) demands that incidents such as this are classed as data breaches as PHI can potentially be viewed and used inappropriately.

After the discovery of the theft on September 2, 2014, GCD reported the incident to law enforcement and an investigation was conducted to determine which data was stored on the laptops. GCD determined that the laptops contained patients’ first and last names, dates of birth, diagnosis and procedural codes, and internal account numbers. Insurance identification numbers were also stored on the laptop along with approximately 2,000 Social Security numbers. No financial information or healthcare data were stored on the laptops.

GCD Fails to Adhere to the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule of 2009 places a requirement on healthcare providers, health plans and healthcare clearinghouses to send breach notification letters to all individuals affected by a data breach if personally identifiable information has potentially been exposed along with PHI. A breach notice must also be issued to the Office for Civil Rights and the media.

HIPAA-Covered Entities (CEs) are given a time frame of 60 days from the discovery of the breach to issue the notices. It took GCD 9 months from the discovery of the breach to report the theft to the North Shore LIJ Health System. No data breach report appears to have been submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) at the time of writing and breach notification letters have yet to be sent to affected patients: all of which are clear violations of the HIPAA Breach Notification Rule.

Business Associates Must Abide by HIPAA Rules

Since the introduction of the HIPAA Omnibus Rule, BAs are required to also abide by HIPAA Rules and they too have an obligation to report data breaches. According to a recent press release issued by North Shore LIJ, it was not informed of the theft and data breach until May 11, 2015.

No reason has been provided at this point as to why it took so long to issue the breach notice. That is likely to be the first question asked of the Business Associate by the OCR.

Potential HIPAA Violations Trigger OCR Compliance Reviews

The OCR is charged with enforcing HIPAA Rules and the agency takes action is taken against violators of HIPAA Rules. The OCR can – and does – issue financial penalties for preventable data breaches and CEs and their BAs can be issued with a fine of up to $1.5 million for each HIPAA violation. The fine is then multiplied by the number of years that a violation was allowed to exist.

Furthermore, when HIPAA violations are suspected, the OCR often investigates and conducts compliance reviews. These have potential to uncover other HIPAA violations, potentially increasing the financial penalties further still.

The huge delay suggests that the BA was either unaware of HIPAA Rules or knew its responsibilities and failed to act. The former is not an acceptable excuse for a HIPAA breach and if the latter proves to be the case, GCD can expect to receive the maximum possible financial penalty that is reserved for cases involving “wilful neglect” of HIPAA Rules.

While attention will be focused on the BA initially, North Shore LIJ may also be scrutinized for HIPAA compliance. In particular, the OCR will need to see the Business Associate Agreement between GCD and North Shore LIJ. If any irregularities are discovered, the healthcare provider could also receive a HIPAA fine.

Breach Notification Letters Yet to be Sent to Affected Individuals

Breach notification letters will be sent to all affected individuals, and these are expected to be despatched in the next few days. Affected individuals will be provided with instructions on the actions they should take to protect themselves against identity theft and fraud. GCD/North Shore will be offering credit monitoring services to affected patients for a period of one year without charge, although until the breach notification letters are received, patients who have visited North Shore LIJ for medical services should take precautions and contact Experian, Equifax and TransUnion for a free credit report. Explanation of Benefits statements should also be checked for any signs of fraudulent activity.

Leave a Comment