The HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to patients within 60 days of the discovery of a data breach. Already this year, OCR has agreed its first settlement with a HIPAA-covered entity solely for delaying the issuing of breach notifications sending a warning that non-compliance will not be tolerated.
However, not all healthcare organizations are included in the HIPAA definition of covered entity. CoPilot Provider Support Services Inc., is one such organizations, at least according to CoPilot. There is currently some doubt as to whether CoPilot is a covered entity. The Department of Health and Human Services’ Office for Civil Rights is currently looking into that.
While there is some doubt as to whether CoPilot is covered under HIPAA, and whether it must therefore comply with the HIPAA Breach Notification Rule, HIPAA is not the only legislation that requires breach notifications to be sent to individuals affected by a data breach. At the time of writing, all but three states in the U.S. have their own breach notification laws. The failure to notify individuals promptly could violate state laws and attract a financial penalty.
For CoPilot, it has meant a fine of $130,000 from the New York Attorney General under General Business Law § 899-aa.
The incident in question was a breach of sensitive information on October 26, 2015. An individual, believed to be a former CoPilot employee, downloaded the names, addresses, phone numbers, dates on birth and insurance details of 221,178 individuals.
CoPilot became aware of the breach and sought assistance from the FBI in February 2016 to help establish the identity of the individual who stole the data. Rather than issue breach notification letters to affected individuals with two months, CoPilot waited. And waited. Breach notification letters were finally sent on January 18, 2017, – 15 months after the breach and at least a year after the breach was discovered.
NY Attorney General Eric Schneiderman recently announced the settlement with CoPilot. He explained, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs.” Those notifications should also be sent as soon as possible after the discovery of a breach to allow affected individuals to take action to protect their identities and mitigate the risk of fraud.
Attorney General Schneiderman said, “Waiting over a year to provide notice is unacceptable,” He also warned organizations doing business in the state of New York that “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”