The Privacy Rule
They key provisions of the Privacy rule are to protect any PHI that is held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. This is the responsibility of all institutions that handle PHI. On occasion not everything goes according to plan and a breach does occur. It is important to know what to do at that time. We share with you a situation in which “HIPAA breach leads to lawsuit.”
The Breach Notification rule requires covered entities to notify affected individuals, HHS and sometimes the media of the breach of unsecured PHI. In addition, notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notification of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. This rule also requires business associates of covered entities to notify the covered entity of the breach. Above all, it is critical that the affected individuals be notified of the nature and extent of the breach. Our experts can provide you with important guidance on Breach Notification.
Hospital Faces Legal Battle
North Shore-Long Island Jewish Health System faced a widening legal battle over allegations that it failed to notify hundreds of patients that an identity-theft ring had stolen their unprotected confidential information. This breach resulted in a lawsuit.
Recently patients brought a lawsuit against New York State’s North Shore-Long Island Jewish Health System for $50 million for allegedly allowing a data breach that violated confidential patient information and failing to report this to the affected patients for almost a year.
Physician Files Lawsuit
The health system employs one of the people involved in the suit. She worked for North Shore-LIJ for 17 years and was a patient at a system hospital on Jan. 23, 2012, the lawsuit says.
Soon after, police in Arlington, Va., discovered the face sheet from Peterman’s procedure among a pile of documents confiscated during a routine traffic stop there. Eventually the health system learned of the discovery on Feb. 5, 2012, the lawsuit says, yet North Shore officials waited until March 20 to notify her.
In the meantime, Peterman received a bill from AT&T stating that someone had used her information to open five cell phone accounts and run up $2,292 in charges, damaging her credit rating.
Peterman works as an emergency room physician at the system’s 299-bed Huntington (N.Y.) Hospital, Lynam confirmed.
Summary of the Case
Twelve patients out of a group of 100 affected individuals filed a suit. An individual stole data from the North Shore University Hospital in Manhasset. The information consisted of PHI including names, addresses, birthdays, phone numbers and Social Security numbers. The health system sent letters to approximately 200 patients with compromised identity following the breach and offered them free credit monitoring. Officials discovered and investigated the disclosure and one year after, the covered entity did the breach analysis. Lawyers for the 12 patients say this was too little and too late to help their clients.
What you must know
The main issue, a provider must remember is to take breach reporting seriously to stay out of harms way. In today’s environment it is not whether but when a breach will affect an organization. It is important to be prepared.
HIPAA Associates is prepared to assist you with your breach reporting. We can make your job much easier.