In the first HIPAA enforcement action of its kind, the HHS Office for Civil Rights (OCR) levied a $475,000 fine against a health system that took too long to notify patients and the government after a breach of unsecured protected health information (PHI).

Industry observers say the move is a wake-up call for health insurers, health systems and providers. Under the Breach Notification Rules (BNR), patients and health plan members must be notified within 60 days of the discovery of a breach regardless of the breach size. The rules also require notification to the government, and in incidents affecting more than 500 people, notice to the media.

The incident goes back to October 2013 when Illinois-based Presence Health discovered hundreds of paper operating schedules — containing patient names, birth dates, medical record numbers, dates of procedures, types of procedures and surgeon names — were missing from one of its surgery centers. OCR didn’t receive a breach notification report from Presence Health until Jan. 31, 2014 — 100 days after the incident was discovered. The health system has more than 150 sites of care, including 11 hospitals, according to its website.

“This settlement tells me that OCR’s compliance review uncovered systemic and far-reaching issues of non-compliance,” says David Holtzman, vice president of compliance strategies at CynergisTek, Inc., a health IT consulting firm. He adds that “99.99%” of all compliance reviews and complaint investigations are resolved informally. “That this review went to a monetary settlement and long-term corrective action plans signals that OCR found deeply rooted problems,” says Holtzman, who previously served on OCR’s health information privacy team.

OCR Timing May ‘Raise an Eyebrow’

Chris Apgar, CEO and president of the health care privacy and security consulting firm Apgar & Associates, says investigators tend to look for patterns and multiple problems when conducting an investigation. In the case of Presence Health, he says, it had a pattern of not reporting breaches within the required 60 days. Organizations fined in the past typically have had more than one problem, such as a lack of business associate agreement and no risk assessment, for example. The penalty against Presence Health was unique in that it was focused only on the organization’s response time.

Since the BNR took effect in 2009, 1,800 large breaches have been reported to OCR along with more than 240,000 small ones. Since mid-2015, OCR has collected more than $27 million in penalties from covered entities and business associates, according to Holtzman.

Michael Adelberg, a former senior official in CMS’s Center for Consumer Information and Insurance Oversight (CCIIO), suggests the timing of the enforcement action, in the waning days of the Obama administration, likely isn’t coincidental, and could have implications for stakeholders that have access to PHI. Adelberg is a senior director at FaegreBD Consulting in Washington, D.C.

The timing of the penalty “might raise an eyebrow” given the offense occurred three years ago, he tells AIS Health. He suggests that the action could alter breach enforcement for years to come.

While Apgar doesn’t think the penalty sets a precedent, he says health plans must understand that OCR wants companies to take breaches seriously and report them quickly. “To me, OCR is saying, ‘this is an issue, and we aren’t putting up with it anymore.'”

Among health insurers, Apgar says delayed reporting doesn’t appear to be as common as failing to conduct a risk analysis or not having the appropriate infrastructure in place to identify when a breach has occurred. “OCR will fine that organization because it would have identified [the breach] sooner if it had a proper risk-management program in place,” he says.

“Due to the increased publicity and scope of data breaches, the precedent-setting action by OCR can be seen as part of a broader response to data privacy and security issues, and a resulting desire to encourage transparency on the part of data-holders,” according to a Jan. 12 paper co-authored by Adelberg.

‘Spear Phishing’ Is Latest Threat

The biggest cybersecurity threat is social engineering. So-called phishing expeditions, which lure employees to unknowingly click on a virus-infected email or malicious web link, have proven very effective. More sophisticated “spear phishers” might steal personal information about an employee and use it to personalize an infected email. The name of that employee’s child, for example, might be used in the subject line, which could be made to appear to be coming from the child’s school, says Apgar. Or, a message to the company’s CEO might be made to look like it’s coming from another executive within the company. “In the end, your biggest risk is people,” he warns.

For 2017, health insurance companies need a “C-suite commitment” to focus on security, says Apgar, and that needs to go beyond buying sophisticated tools. Carriers also need to conduct a risk analysis to identify potential gaps, ensure that policies and procedures are in place, and conduct mock phishing exercises to see which employees might click on malicious links. Without first completing those steps, sophisticated tools aren’t much use.

“I’ve heard from health plans and health care providers that don’t want to spend millions of dollars on infrastructure and security improvements when the fines are far less expensive. It’s cynical, but I have heard that,” he says, adding that such a philosophy is also foolish.

Along with a fine, a breach could lead to bad press and class-action lawsuits filed by those affected. He points to a $1.5 million fine that BlueCross BlueShield of Tennessee agreed to pay in response to 57 hard drives being stolen in 2009, affecting more than 1 million people. The insurance carrier wound up spending nearly $17 million on the investigation, data encryption, notification and mitigation.

How Should Carriers Prepare?

Incidents in which there has been a breach of PHI can include everything from lost paper documents or messages sent to an incorrect fax number to a theft of unencrypted hard drives or a lost laptop. Having a program in place that identifies your gaps before they’re exploited is half the battle, says Holtzman. Here’s a look at steps he says health plans should take to protect themselves and their members:

  • Prepare: Organizations should conduct a risk assessment and implement a mitigation plan to narrow or eliminate gaps in an organization’s approach to safeguarding PHI or assuring their systems for securing information are effective, he says.

  • Document: Health plans must have a well-documented incident response plan. “It’s better to map out and prepare the steps you are going to take when there is a breach well before the breach has actually occurred,” Holtzman says.

  • Investigate: All incidents — in which there is a suspected unauthorized use or disclosure of PHI — must be thoroughly investigated and documented. When there has been an incident involving an electronic information system, it’s important to conduct a forensic analysis of the incident and to implement the response plan to stop the breach from spreading. If an outside firm is hired to conduct the analysis, it needs to be brought in as early as possible, he says.

  • Notify: The BNR requires covered entities like health plans to notify affected individuals within 60 days after they have discovered that there has been a breach. The BNR also requires notification to the government, and in incidents affecting more than 500 people, notice to the media. (Some state laws may require a shorter notification window.) Once a breach is detected, there needs to be a process in place to notify affected individuals, HHS and the media, if necessary. Breaches impacting fewer than 500 people can be reported to OCR in an annual report, and within 60 days of the end of the calendar year, said Holtzman.

Jocelyn Samuels, an Obama-administration appointee, will head OCR until Jan. 20 when Donald Trump is sworn in as president. Samuel’s replacement will be appointed by the incoming HHS secretary. Rep. Tom Price, M.D. (R-Ga.), Trump’s pick to head that office, is expected to be confirmed. Given congressional efforts to repeal and replace the Affordable Care Act, appointing someone to head OCR won’t be high on the list of priorities for the Trump administration. Until a new person is appointed, the agency will continue along the same path, Apgar says.

Samuels presided over an unprecedented 13 enforcement actions that netted OCR nearly $25 million in 2016, more than double the agency’s take in any single prior year. OCR is likely to issue few, if any, settlements before a new director takes the helm, according to the Health Care Compliance Association’s Report on Patient Privacy publication.

To see HHS/OCR’s statement on the Presence Health case, visit http://tinyurl.com/j8omdtk.

The resolution agreement and corrective action plan may be found on the OCR website at http://tinyurl.com/grps7ez.