Under Health Insurance Portability and Accountability Act (HIPAA) Rules, covered entities must report data breaches within 60 days of the discovery of a breach. Affected individuals must also be notified within the same time frame. State legislation has been introduced that similarly requires organizations to issue notifications and report the incidents to state officials. Breach reports are also covered by other federal legislation and typically require organizations to issue breach notifications to affected individuals in a timely manner.
Most organizations report data breaches promptly, although recently there have been some notable exceptions. OCR has recently fined one healthcare organization for waiting a month past the HIPAA deadline before issuing notifications. Presense Health paid OCR $475,000 to resolve the HIPAA violations.
CoPilot Provider Support Services, Inc., experienced a data breach in October 2015; however, instead of notifying affected individuals in early 2016, breach notifications were sent to affected individuals in January 2017, more than a year after the breach occurred and was discovered. The New York attorney general has recently announced that his office has fined CoPilot $130,000 for the delay.
There is some confusion about whether CoPilot is a HIPAA-covered entity. CoPilot maintains it is not, although the firm does provide services to healthcare organizations and could therefore be classed as a business associate. OCR is currently reviewing whether the company is included under the definition of HIPAA.
The New York attorney general did not issue a fine for a HIPAA violation, which would have been possible under HIPAA Rules. Instead, the fine was issued for a violation of General Business Law § 899-aa, which requires organizations to issue ‘timely breach notifications’.
Announcing the fine, NY AG Eric T. Schneiderman said, “[CoPilot] has agreed to comply with New York’s consumer protection and data security laws, Executive Law § 63(12) and GBL § 899-aa, and to update relevant policies and procedures to ensure compliance with GBL § 899-a,” explaining that CoPilot violated GBL § 899-aa by delaying breach notifications by more than a year.
In addition to the $130,000 fine, CoPilot must update its policies covering breach notifications and improve its compliance program.
CoPilot stated that the delay was due to an FBI investigation, which was focused on a former employee who was believed to have gained access to an administration website used by the firm and downloaded 221,178 patient records. The FBI investigation was launched in February 2016. While law enforcement can request that breach notifications be delayed to ensure an investigation is not impeded, in this case no request was made and issuing notifications would not have impeded the investigation.
Schneiderman said, “A company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.” If an investigation is being conducted, a company should only delay notifications if instructed to do so in writing. That company should also request a date when notifications can be sent, and if one is not provided, should maintain contact with law enforcement “until approval for notification pursuant to GBL § 899-aa is provided.”