Share this article on:
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.
Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily.
Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to prominent media outlets. Covered entities should also place a substitute breach notice in a prominent place the company website to alert patients or plan members to the breach.
Smaller breaches impacting fewer than 500 individuals must also be reported to OCR, although covered entities can report these smaller breaches annually within 60 days of the end of the calendar year. Covered entities should note that state data breach laws may not permit such delays and that regardless of the number of individuals impacted by a breach, HIPAA requires patients to always be notified within 60 days of a PHI breach.
Presence Health experienced a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been removed from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be located. The documents contained sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures performed, treatment dates, the types of anaesthesia provided, and names of the surgeons that performed operations.
Presence Health became aware that the documents were missing on October 22, 2013, yet OCR was not notified of the breach until January 31, 2014, more than a month after the 60-day HIPAA Breach Notification Rule deadline.
OCR investigates all breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was issued 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had passed. A media notice was issued, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were notified of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had passed.
Investigators determined that this was not the only instance where breach notifications to patients had been delayed. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.
Announcing the resolution agreement and settlement, OCR Director Jocelyn Samuels said “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She went on to explain the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The settlement should serve as a warning to HIPAA covered entities that unnecessary breach notification delays can have serious financial repercussions. 60-days is the maximum time frame for reporting (and announcing) PHI breaches, not a recommendation.