Health care providers typically have some discretion in determining whether an incident is reportable under the Health Insurance Portability and Accountability Act (HIPAA). However, providers should take care in exercising such discretion. As evidenced by a recent settlement between a hospital system and the Office for Civil Rights (OCR), a provider’s decision to not report an incident, may result in significant costs.
Subject to certain exceptions, a “breach” under HIPAA is defined as the unauthorized acquisition, access, use, or
disclosure of protected health information (PHI). When a breach occurs, it must be reported to the affected individual(s) and to OCR within
specified timelines under federal law. Reports must be filed with the media for breaches affecting more than 500 individuals. In addition to the reports required under HIPAA, state law may mandate further reporting.
At times, a health care provider may conclude that an incident involving the unauthorized acquisition, access, use, or disclosure of PHI is not a reportable breach. HIPAA includes certain exceptions to the reporting requirement. Also, a provider may conclude that a report is not required because there is a low probability of compromise to the privacy and security of the PHI. It is important to note that any such analysis and conclusion may be subject to scrutiny, as evidenced in the recent settlement.
On November 27, 2019, OCR announced a settlement with Sentara Hospitals, a health system in Virginia and North Carolina. After receiving a bill from Sentara Hospitals that contained another patient’s information, an individual filed a complaint with OCR. Following receipt of the complaint on April 17, 2017, OCR opened an investigation of Sentara Hospitals.
OCR’s investigation revealed that Sentara Hospitals sent statements for 577 patients to the wrong addresses. The statements included patient names, account numbers, and dates of service. For 8 of these individuals, Sentara Hospitals concluded that a breach had occurred and filed reports in accordance with HIPAA.
However, Sentara Hospitals concluded that the billing error was not a breach and did not warrant reports for the remaining 569 individuals. Sentara Hospital reached this conclusion because the statements that were mailed did not include the patient’s diagnosis, treatment information, or other medical information. OCR disagreed with Sentara Hospitals’ conclusion. Moreover, in the press release concerning the settlement, OCR noted that “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.”
OCR alleged that Sentara Hospitals failed to report breaches of PHI as required by HIPAA. In addition to this claim, OCR concluded that Sentara Hospitals failed to have a Business Associate Agreement with its parent corporation, which performed certain administrative functions for Sentara Hospitals that involved PHI.
To settle OCR’s claims, Sentara Hospitals agreed to pay $2.175 million and to execute a two-year corrective action plan. Under the corrective action plan, Sentara Hospitals must develop policies and procedures regarding breaches and breach notification. These policies and procedures must be submitted to OCR for review. Following OCR’s approval, Sentara Hospitals must present the policies and procedures to its workforce and obtain signed statements from workforce members certifying their receipt and understanding of the policies and procedures. The corrective action plan obligates Sentara Hospitals to review the policies and procedures on an annual basis. During the term of the corrective action plan, OCR will monitor Sentara Hospitals’ assessments of potential breaches, and Sentara Hospitals will submit periodic reports relating to the implementation of the corrective action plan.
In the event a health care provider decides that a breach is not reportable, the provider should have documented evidence supporting the conclusion. To gather the evidence, the provider should conduct a thorough investigation and obtain information relating to the following: (i) the nature and extent of PHI involved in the incident; (ii) the unauthorized person who acquired, accessed, used, or received the PHI; (iii) whether the person actually viewed the PHI; and (iv) the effect of mitigation efforts.
At the conclusion of the investigation, the provider should identify and assess the risks to the privacy and security of PHI. All aspects of the investigation and the provider’s assessment should be documented. If the evidence demonstrates a low probability of compromise to the privacy or security of PHI, then the provider may be able to reasonably conclude that the breach is not reportable.
As demonstrated in OCR’s recent settlement with Sentara Hospitals, a provider’s decision to not file a breach report may be subject to scrutiny. Accordingly, providers should broaden risk assessments to include risks unrelated to the PHI. Specifically, when deciding not to report an incident, a provider should evaluate the risk of potential fines and reputational damage in the event OCR investigates the matter and disagrees with the provider’s conclusion.