Why Practices Must Report a Data Breach

In a recent press release, New York Attorney General Eric T. Schneiderman said, "Healthcare service providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs." On June 15^th, The New York Attorney General's Office announced a settlement with CoPilot Provider Support Services, Inc.–a company that is considered a business associate under HIPAA and the HITECH Act.

CoPilot provides services to physicians to assist them in determining whether insurance coverage is available for certain medication. In October 2015, access was gained by an unauthorized person via a subcontractor of CoPilot, PHPMyAdmin. In turn, nearly 221,178 patient reimbursement records were accessed.

According to a press release from the Attorney General, the perpetrator downloaded reimbursement-related records for 221,178 patients – including name, gender, date of birth, address, phone number, and medical insurance card information. Of the patients affected, 25,561 were residents of New York, 11,372 of the New York patients' records also included social security numbers.

CoPilot knew this happened in 2015, yet, despite CoPilot's request that the FBI investigate the breach, no report was made to government agencies or affected patients until January 2017. The notifications were issued more than one year after CoPilot learned of the breach of patient data. Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications, according to the press release. Ultimately, CoPilot settled with the State of New York for $130,000.

This settlement highlights the importance of the requirements set forth in the federal HIPAA Breach Notification Rule. The rule says, once a breach has been determined, a business associate has a duty to report the breach to the covered entity or entities that are affected. Furthermore, notice must be provided to the Secretary of the U.S. Department of Health and Human Services within 60 days of the discovery of the breach.

This timeframe and the information required to be communicated by the business associate includes the identification of each individual, as well as any other relevant information, which is required to be provided by the covered entity in its notification to the individuals who were impacted.

CoPilot's situation serves as an important reminder for physicians. The takeaways for practices are as follows:

•Make sure that business associate agreements have the appropriate breach notification language.

•Disclose breaches within the requisite reporting periods for both state and federal agencies.

•Perform adequate and annual due diligence on business associates.