Delayed Notification of a PHI Breach Runs Afoul of HIPAA and State Law

New York Attorney General Eric Schneiderman recently announced a settlement with healthcare services company CoPilot Provider Support Services, Inc. (“CoPilot”), which was charged with unlawfully delaying patient notification of a data breach that involved more than 220,000 patient records. CoPilot waited over a year to notify patients of the breach of their protected health information.

In October 2015, CoPilot’s software program that helps physicians determine whether medications are covered by patients’ insurance was breached. In February 2016, the Federal Bureau of Investigation (“FBI”) opened an investigation to identify the culprit behind the breach. CoPilot did not begin sending notices to patients whose private information – including names and Social Security numbers – was compromised until the middle of January 2017, over a year after the breach occurred.

CoPilot alleged that the delay in notification was due to the ongoing FBI investigation. However, this argument was unconvincing to the New York Attorney General, who explained: “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

CoPilot was fined $130,000 for violating New York General Business Law §899-aa, which requires businesses to provide notice to consumers “in the most expedient time possible and without unreasonable delay” of any breach of security that involves their private information. The law also states that notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation.

In CoPilot’s case, however, the FBI never instructed the company to delay notification, and there was no reason to believe that notification would impede the FBI’s investigation. The Attorney General explained that, even if the FBI instructed the company to delay notification, the company would have an obligation under the General Business Law to (i) obtain such instructions in writing, (ii) request a date for when notification may be provided and (iii) if no such date is provided, maintain contact with the government agency until approval for notification is provided.

The notification requirements under the General Business Law apply to all types of companies that do business in New York. For companies in the healthcare industry in particular, the CoPilot settlement serves as an important reminder that when it comes to privacy and security of patient information, companies must not only comply with the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (collectively, “HIPAA”), they must also comply with state law requirements with respect to privacy and security standards as well as notification requirements when a breach occurs.

Although the requirements under New York law are generally similar to the HIPAA requirements, it is important that company executives and compliance officers consider such state law requirements. Failure to do so can subject a company to investigations and penalties by state authorities. Thus, all companies are encouraged to routinely review their existing compliance programs and notification protocols to ensure compliance with both federal and state law.