Home Health & Hospice Week

A new HIPAA breach notice from Apria Healthcare may show why the feds have been issuing repeated reminders of vigilance against the crime.

Recap: “In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information,” the HHS Office for Civil Rights has been saying in various documents and releases going back to last fall. “A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks,” OCR said in its Cybersecurity Newsletter last October.

In a May 22 release, Apria explains that on Sept. 1, 2021, the Indianapolis-based home medical equipment company “received a notification regarding access to select Apria systems by an unauthorized third party. Apria took immediate action to mitigate the incident, including working with the Federal Bureau of Investigation and hiring a reputable forensic investigation team to investigate and securely resolve the incident.”

The unauthorized access was intended to steal funds, not patient data, Apria determined. But the supplier “cannot rule out the possibility that some files containing individuals’ information may have been accessed as a result of this incident,” it says. That includes “in some limited cases, Social Security numbers,” the company admits.

Apria is notifying affected individuals and is providing complimentary identity protection services. It does not say why its reporting of the incident didn’t come until more than 20 months after the fact.

To review, for breaches that include more than 500 individuals:

• As a covered entity (CE), you “must notify [HHS] of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach,” notes the HHS Office for Civil Rights (OCR) breach notification guidance.
• Your breach notification must be filed electronically; plus, the data you submit and all information on the required forms must be complete and cover all aspects of the breach.
• You must notify the media — and similarly to alerting HHS, you must let the press know ASAP.
• You need to let the individuals know that their PHI was breached through first-class mail or in email within 60 days of the breach — if the impacted party has previously agreed to receive correspondences electronically, the OCR says.
• For breaches that include fewer than 500 individuals:
• As the CE, you need to alert HHS of the breach within 60 days of the calendar year in which the breach occurred.
• You need to submit your forms electronically. However, even if your HIPAA breaches are on different days and concern different issues, you can still submit them on the same day.
• The individuals whose PHI was affected by the breach must be notified by first-class mail or email, too — within 60 days of the breach.