What happens when you fail to send a breach notification

The HIPAA Breach Notification Rule ensures that covered entities promptly inform individuals when there is a breach of their Protected Health Information (PHI).

The Change Healthcare data breach led to a major disruption of the US healthcare system with many pharmacies and hospitals unable to receive claims and payments. Change Healthcare often acts as a clearing house connecting healthcare providers with insurers, which contributed to the uncertainty about their role in providing breach notifications and delayed notifying the public.  The Ascension health system ransomware attack made them unable to provide emergency care because providers were locked out of their system. 

Such incidents highlight the necessity of breach notifications to fulfill legal obligations and mitigate cascading impacts on healthcare operations and maintain public trust. Understanding and adhering to these requirements protects individuals and the broader healthcare system. 

Legal obligations

The U.S. Department of Health and Human Services states, “Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media”. 

Consequences

According to The Office of the National Coordinator for Health Information Technology, the following are the consequences of failing to properly notify authorities and affected individuals about a HIPAA breach:

• Potential civil penalties: The Office for Civil Rights (OCR) can impose substantial financial penalties for HIPAA Rule non-compliance. State attorneys general may also bring civil actions and seek damages on behalf of state residents.
• Enforcement Actions: OCR conducts investigations of significant breaches, with breaches affecting 500 or more patients being publicly reported on their website. Compliance reviews are typically opened for substantial breaches, subjecting the organization to detailed scrutiny.
• Financial Penalties: The monetary consequences vary based on the level of culpability. Penalties range from $100 to $50,000 per incident for unknown violations, escalating to up to $50,000 for willful neglect. There is an annual cap of $1.5 million for all violations, which can represent a significant financial burden for healthcare organizations.
• Additional Consequences: Beyond financial penalties, organizations may face potential criminal prosecution by the U.S. Department of Justice for knowing misuse of health identifiers or unauthorized disclosure of Protected Health Information. There are also reputational risks and increased likelihood of future regulatory monitoring.

Case studies

University of Rochester Medical Center (URMC) failed to report breaches involving unencrypted devices multiple times and was fined $3 million. The organization had ongoing issues with device encryption and risk analysis, which compounded the severity of the penalties​. 

On the other hand, Hot Topic recently faced criticism for failing to notify customers and authorities promptly about a significant data breach, a delay that could lead to legal repercussions and diminished customer trust. The breach, which exposed sensitive information from nearly 57 million accounts, included names, addresses, phone numbers, partial credit card details, and loyalty account information. The stolen data poses substantial risks, such as identity theft, financial fraud, and targeted phishing attacks. Despite the severity of the breach, Hot Topic has yet to fulfill its legal obligations for notification, potentially facing lawsuits and penalties as a result.

Best practices for compliance

Healthcare law experts, Cohen Healthcare Law Group, suggest the following strategies to maintain compliance:

Implement robust data security measures

• Encrypt Protected Health Information (PHI)
• Use role-based access controls to limit data visibility
• Secure devices with firewalls, antivirus software, and mobile device management (MDM) solutions

Conduct regular HIPAA risk assessments

• Identify where PHI is stored and potential vulnerabilities
• Perform annual risk assessments
• Conduct additional assessments after significant events or technology changes
• Document all findings and corrective actions

Comprehensive employee training

• Develop thorough HIPAA training programs
• Cover key areas like data handling, breach recognition, and security protocols
• Provide regular refresher sessions
• Document all training activities and employee participation

Establish a breach response and incident management plan

• Create clear protocols for detecting and reporting breaches
• Develop a process for investigating incidents
• Prepare procedures for notifying affected individuals and the Office for Civil Rights (OCR)
• Implement measures to prevent future similar incidents

Proactive compliance management

• Stay updated on HIPAA regulations
• Implement administrative, physical, and technical safeguards
• Demonstrate good faith efforts to protect PHI
• Prepare for potential OCR audits and reviews

FAQs

What information should be included in a breach notification?

A breach notification should include a description of the breach, the type of data involved, the potential impact, and steps taken to mitigate the breach and prevent future occurrences.

How can organizations prepare for a data breach?

Organizations can prepare by developing a comprehensive incident response plan, regularly training employees, and conducting security audits.

What are the long-term impacts of a data breach on an organization? 

Long-term impacts can include sustained reputational damage, financial losses, and increased scrutiny from regulatory bodies.