According to a Press Release on January 9, 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) enforcement settlement of 2017 based on the untimely reporting of a breach of unsecured protected health information (PHI). The covered entity Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. Presence Health is one of the largest health care networks serving Illinois. HHS announced, “With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”
Background details: On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The missing information included the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. According to the details provided by the OCR investigation, Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.
The Breach Notification Rule requires notification to affected individuals, media, and HHS “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach” (45 CFR 164.404(b), 164.406(b), and 164.408(b)), in the event of breaches affecting more than 500 individuals. Breaches are treated as discovered as of the first day on which the breach is known or in the exercise of reasonable diligence would have been known to the entity (meaning any person, other than the person committing the breach, who is a workforce member or agent of the entity). See 45 C.F.R. § 164.404(a)(2).
In the Resolution Agreement, OCR indicated that there was a separate violation of the Breach Notification Rule for each day on which the covered entity failed to notify each affected individual. OCR Director Jocelyn Samuels stated “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements”. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/presence
OCR’s guidance on breach notification may be found at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, you can visit http://www.hhs.gov/hipaa/index.html
Bottom Line: This enforcement action emphasizes the importance for covered entities and business associates to have clear policies and procedures in place to respond to Breach Notification Rule requirements within the time frames set forth under the Rule. Keep in mind that although this enforcement action addresses a breach that occurred for more than 500 individuals, all breaches discovered in 2016 affecting fewer than 500 individuals must be reported to HHS by March 1, 2017.