Thirty-three state attorneys general announced on October 17, 2023, that a settlement had been reached with a healthcare clearinghouse over the three-year exposure of the protected health information (PHI) of 1.5 million consumers. As part of the settlement, the healthcare clearinghouse has agreed to fully revamp its data-security protocols and breach-notification procedures, and to pay $1.4 million to the participating states.
The clearinghouse, based in San Juan, Puerto Rico, facilitates transactions between healthcare providers and insurers throughout the United States. In January 2019, the US Department of Health & Human Services’ Office of Civil Rights (HHS-OCR) alerted the clearinghouse that, dating as far back as May 2016, PHI maintained by the company had been exposed online and indexed by search engines. The breach meant that anyone with internet access could have accessed and potentially downloaded the sensitive patient information.
Despite the alert from the federal government, the clearinghouse put off notifying the affected consumers for more than three months, and, when the company finally did, in some cases they sent notices to incorrect addresses of patients. In addition, the notices lacked clarity, leaving many consumers confused about why the clearinghouse had their data and leading some to dismiss the notices as illegitimate.
The settlement resolves allegations made by the attorneys general that the clearinghouse violated state breach notification laws and the federal Health Insurance Portability and Accountability Act (HIPAA).
The violations center on the clearinghouse’s failure to implement reasonable data security and its neglect of secure-code reviews before the breach and, after learning about the data exposure, its failure to provide timely and comprehensive information about the breach to consumers.
Under the settlement, the clearinghouse will strengthen its data security and breach-notification practices going forward. This includes implementing a comprehensive information-security program, developing an incident-response plan with specific policies and procedures for notification letters, and undergoing annual third-party security assessments for five years.
The settlement was announced by the attorneys general of Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia, and Wisconsin.
Compliance Perspective
Issue
Covered entities must notify affected individuals following the discovery of a breach of unsecured PHI. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
Discussion Points
- Review policies and procedures related to HIPAA and PHI. Ensure they include data security and breach-notification practices.
- Train appropriate staff on HIPAA, PHI, and data security, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that recognized security practices are fully implemented, and that staff are adhering to data integrity security measures. Also audit to ensure that the facility’s policies and procedures for HIPAA and PHI are being followed.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*