On June 15th, New York Attorney General Eric Schneiderman announced a settlement with CoPilot Provider Support Services Inc. to resolve allegations that the company improperly delayed notice to more than 220,000 consumers of a breach involving their health information by more than a year, including over 25,000 New York residents. The company agreed to pay $130,000 and reform its breach notification practices to settle the matter.
CoPilot, a New York corporation, provides healthcare support services, including a website that healthcare providers can use to help assess whether insurance coverage is available for particular medications. In October 2015, an unauthorized party gained access to information about approximately 220,000 patients including data such as patient name, gender, date of birth, address, phone number, medical insurance card information, and Social Security numbers. The FBI opened in investigation in mid-February 2016 at the company’s request. Breach notices, however, were not sent until January 18, 2017, “more than one year after CoPilot leaned of the breach.” CoPilot attributed the delay to the law enforcement investigation, but the Attorney General found that the FBI had not requested the delay in notification and, as a result, CoPilot failed to provide notice in a timely manner.
Health Breaches Can Involve More than HIPAA and HHS OCR
The settlement is a reminder to life science companies, providers and others handling health information that HIPAA is not the only source of potential privacy, data security, or breach notification obligations and the Department of Health and Human Services Office of Civil Rights (HHS OCR) is not the only possible enforcement agency. In this case, CoPilot may have been a HIPAA business associate, but this action was brought by the New York Attorney General under New York’s state breach notification statute.
Documentation of Law Enforcement Hold Requests
The settlement also is a reminder to entities of the importance of properly documenting law enforcement hold requests. The mere existence of an investigation is not enough to delay notice, law enforcement must request a delay in notification. While the standard may vary slightly depending upon applicable law, law enforcement typically must find that a delay is necessary so as not to impede a criminal investigation (some statutes also recognize national security considerations as a basis for delay).
In the case of HIPAA, for example, law enforcement must find that providing notice as otherwise required by HIPAA “would impede a criminal investigation or cause damage to national security.” The form of law enforcement’s request dictates the length of delay under HIPAA that is permissible. If the law enforcement request is in writing and specifies the length of the delay, notice is to be delayed for that period of time. If the law enforcement official’s request is made orally rather than in writing, the covered entity or business associate receiving it is to document the request (including the identity of the requestor) and delay notice for up to 30 days at which point notice is required unless a suitable written request for further delay has been received from law enforcement within that time. 45 C.F.R. § 164.412.
State laws vary in specificity about what is necessary for a law enforcement hold. New York’s breach notification statute provides that notice may be delayed “if a law enforcement agency determines that such notification impedes a criminal investigation” but is silent as to documentation. NY Gen. Bus. L. § 899aa(4). The CoPilot settlement, however, requires the company to obtain a written request from authorized law enforcement personnel before delaying notice in the future due to a law enforcement investigation. CoPilot also must request a date upon which notice can be provided and, if the date is not forthcoming, maintain contact with law enforcement until approval to send notifications is obtained.