Healthcare providers are in a uniquely vulnerable position in the event of a data breach because both they and their “business associates” are required to comply with HIPAA’s Breach Notification Rule. This vulnerability was recently underscored by a settlement between CoPilot Support Services Inc. and the state of New York.
CoPilot is a company whose website helps healthcare providers learn if a patient’s insurance covers certain medications. As such, it is considered a business associate under both HIPAA and the HITECH Act.
On Oct. 26, 2015, CoPilot was the victim of a hacker attack. In all, the cyber theft compromised 221,178 patient records, including names, genders, dates of birth, addresses, phone number and insurance IDs. Over 11,300 records also included social security numbers, according to a press release from the office of Eric Schneiderman, the Attorney General for New York state.
CoPilot reported the data breach to the FBI, which opened an investigation in January 2016. But the company did not notify the patients whose data was stolen until January 2017, over a year after it learned of the breach.
CoPilot claimed it withheld the information due to the ongoing criminal investigation. However, the FBI denied telling the company to delay notification, stating that doing so would not have hindered its investigation in any way.
According to Schneiderman’s office, New York state law requires companies to provide notice of a data breach as soon as possible after it occurs. The law also states that companies can’t assume they can delay notification because a criminal investigation is underway.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” Schneiderman said. “Waiting over a year to provide notice is unacceptable.
In its settlement with the state, CoPilot agreed to revise its security practices and pay a $130,000 fine.
What the Data Breach Settlement Means
CoPilot’s situation is an important reminder to health care providers that HIPAA, HITECH and various state laws require swift consumer notification in the event of a data breach. Additionally, it highlights the need for physician practices to vet business associates carefully and have appropriate breach notification language in their contracts with them. The penalties, in this case, applied only to CoPilot. However, that doesn’t mean that, in a similar situation, you would not pay a penalty in the event your contract language was flawed.
At The Carmoon Group, we help physicians implement risk management practices that keep their business assets safe. We also offer business insurance and medical malpractice policies tailored to your individual needs. So why not give us a call to speak with a medical malpractice expert today? Or just fill out our online form, and we’ll get back to you right away.