CoPilot Provider Services has reached a $130,000 settlement with New York state for delaying its breach notification process.
CoPilot is a health care administrative services and IT service provider. NY Attorney General, Eric Schneiderman, determined that CoPilot unlawfully delayed breach notification to 221,178 customers a full year after the initial breach took place.
Schneiderman’s office found that the data breach occurred in October of 2015 due to access by an unauthorized user. CoPilot stores confidential reimbursement data on clients’ patients. The investigation found that the unauthorized individual downloaded patient data, including names, dates of birth, addresses, phone numbers, and medical insurance account information.
The breach notification process should have followed in a timely manner from there, however CoPilot didn’t notify its clients of the breach until January of 2017. The attorney general found that this was in violation of general business law. CoPilot contends that the breach notification was delayed due to an FBI investigation into the culprit. FBI investigators did not instruct CoPilot to delay breach notification.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Schneiderman in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”
HIPAA Breach Notification Violation?
The Department of Health and Human Services (HHS) is currently determining if CoPilot is considered a business associate under HIPAA regulation.
A HIPAA business associate is an organization hired by a health care provider that handles protected health information (PHI) over the course of the work it’s been hired to provide. This includes IT services providers, practice management firms, attorneys, EHR platforms, shredding companies, and physical and cloud storage providers, to name a few.
Because the CoPilot data breach included the health insurance information of over 220,000 patients, it’s very likely that the organization will be considered a HIPAA business associate.
The HIPAA Breach Notification Rule sets specific federal guidelines for notifying patients about a data breach. When a breach includes more that 500 individuals’ records it’s considered “Meaningful.” Meaningful breaches must be reported within 60 days of discovery–that includes patient notification, local media notification, notice to local law enforcement, and a report to the Office for Civil Rights (OCR).
As per information released by the Office of the New York Attorney General, the one-year delay in breach notification did not comply with HIPAA standards.
HIPAA investigations typically take anywhere from 2-4 years to reach settlement, meaning that an announcement out of OCR could still be a long time coming.
In January of 2017, OCR reached its first HIPAA settlement for violation of the HIPAA Breach Notification Rule for $475,000. OCR typically sets precedents for future enforcement efforts early in the year, indicating that more settlements for violation of Breach Notification standards are likely on the horizon. Trends in HIPAA enforcement continue to evolve, and CoPilot could be another target in the months and years ahead.
HIPAA Breach Reporting
Compliancy Group gives health care professionals and business associates confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including HIPAA breach reporting and guided breach management.
With The Guard, professionals in health care can focus on running their business while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!