January 17, 2017
The beginning of 2017 has brought two notable developments regarding the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related rules. The Department of Health and Human Services, Office of Civil Rights (“HHS”) has announced its first settlement for the untimely notification of a breach of unsecured protected health information (“PHI”), and HHS has clarified that rules related to disclosure of patient information are not restricted or affected by the sex or gender of either the patient or potential recipient.
Settlement for the Untimely Notification of a Breach of PHI
Presence Health, an Illinois health system, agreed to pay $475,000 and implement a corrective action plan to settle violations of the HIPAA Breach Notification Rule stemming from a breach report filed in January 2014. In the breach report, Presence Health admitted that in October 2013 it discovered that operating room schedules containing the PHI of over 800 individuals were missing.
As a result of the breach of PHI and pursuant to the HIPAA Breach Notification Rule, Presence Health had an obligation to notify the individuals affected by the breach, prominent media outlets serving the state and HHS without reasonable delay and no later than 60 days after discovering the breach. However, Presence Health, allegedly due to miscommunications between its workforce members, did not provide the required notifications to affected individuals until more than 100 days after discovering the breach.
The resolution agreement signed by HHS and Presence Health also pointed out that Presence Health failed to provide timely written breach notifications to individuals affected by at least two other breaches in 2015 and 2016. It is unclear whether this had any effect on the settlement amount or corrective action plan.
This settlement reinforces the importance of strictly complying with the HIPAA Breach Notification Rule in order to avoid paying a settlement payment and/or entering into a corrective action plan. For additional information, please also see "OCR Penalizes Slow Data Breach Response" on Taft's Privacy & Data Security Insights blog.
Updated Guidance and FAQ Regarding Sharing Information with Patients’ Loved Ones
In response to confusion surrounding a physician’s ability to share information with patients’ loved ones, HHS has issued new guidance and a related FAQ making it clear that disclosures of PHI to loved ones are in no way limited or impacted by the sex or gender identity of either the patient or the potential recipient.
Under HIPAA, in certain situations covered entities may share an individual’s PHI with a family member of the individual. The updated guidance clarifies that the terms “family member,” “marriage” and “spouse” include, respectively, all dependents of all lawful marriages, lawful marriages (whether same-sex or opposite-sex) and lawfully married spouses.
In addition, covered entities must treat an individual’s personal representative as the individual for purposes of exercising the individual’s rights. With respect to the definition of “personal representatives,” covered entities must look to state law. If the state provides that spouses have health care decision making authority on behalf of each other, then covered entities are required to recognize the lawful spouse of an individual as the individual’s personal representative without regard to the sex of the spouses.
The new FAQ addresses disclosures to loved ones who are not married to the patient or otherwise recognized as a relative of the patient. Under certain situations, when the information is directly relevant to the person’s involvement in the patient’s care or payment for health care, covered entities may share information about a patient with patient’s close friend, relative or someone identified by the patient. The FAQ reiterates the principles established in the guidance that disclosures of PHI are in no way limited or impacted by the sex or gender identity of either the patient or potential recipient.