25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

$475,000 Settlement for Delayed HIPAA Breach Notification

Posted By on Jan 10, 2017

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.

Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily.

Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to prominent media outlets. Covered entities should also place a substitute breach notice in a prominent place the company website to alert patients or plan members to the breach.

Smaller breaches impacting fewer than 500 individuals must also be reported to OCR, although covered entities can report these smaller breaches annually within 60 days of the end of the calendar year. Covered entities should note that state data breach laws may not permit such delays and that regardless of the number of individuals impacted by a breach, HIPAA requires patients to always be notified within 60 days of a PHI breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Presence Health experienced a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been removed from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be located. The documents contained sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures performed, treatment dates, the types of anaesthesia provided, and names of the surgeons that performed operations.

Presence Health became aware that the documents were missing on October 22, 2013, yet OCR was not notified of the breach until January 31, 2014, more than a month after the 60-day HIPAA Breach Notification Rule deadline.

OCR investigates all breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was issued 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had passed. A media notice was issued, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were notified of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had passed.

Investigators determined that this was not the only instance where breach notifications to patients had been delayed. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.

Announcing the resolution agreement and settlement, OCR Director Jocelyn Samuels said “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She went on to explain the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The settlement should serve as a warning to HIPAA covered entities that unnecessary breach notification delays can have serious financial repercussions. 60-days is the maximum time frame for reporting (and announcing) PHI breaches, not a recommendation.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist