For the first time, on January 9, 2017, the Department of Health and Human Services, Office for Civil Rights (HHS/OCR) settled a HIPAA enforcement action based on the untimely reporting of a breach of unsecured protected health information (PHI).
When a health care institution is subject to a potential breach of PHI, that entity is required under HIPAA to provide notice within 60 days of discovery of the incident.
According to OCR, on January 31, 2014, it received a breach notification report from Chicago-based Presence Health, indicating that on October 22, 2013, the organization discovered that paper records containing the PHI of 836 individuals were missing from one of its facilities. OCR’s investigation revealed that Presence failed to notify − without unreasonable delay and within 60 days of discovering the breach − each of the affected individuals, prominent media outlets and OCR. Although the delay was due to a miscommunication among Presence employees, failure to promptly notify the affected individuals delayed their ability to take swift action to protect themselves.
For its potential violation of the HIPAA Breach Notification Rule, Presence agreed to pay $475,000 and implement a corrective action plan, which includes revising its existing policies and procedures related to breach notification, distributing the updated policies among its workforce and providing employees with training on such policies. The settlement of $475,000 is significant for an incident involving only 836 individuals and represents OCR’s emphasis on balancing the importance of timely breach reporting with the desire not to discourage breach reporting altogether.
Often, it takes entities time to recognize they have an issue that requires reporting. Having an incident response plan and an internal mechanism for reporting these issues to the HIPAA Compliance Officer is critical to an efficient response and investigation, which will translate into a timely response. Any delay in identifying experts and starting the response process could be the difference between being “timely” or “tardy.” The consequences of being tardy could lead to a significant financial burden due to a seemingly small issue.
Wilson Elser’s Cybersecurity & Data Privacy practice has extensive experience guiding entities through data security incidents and the resulting regulatory investigation from OCR. If any of your clients need assistance, contact a practice team member for assistance.
NOTE: Jeremy Merkel (Associate-White Plains) assisted in researching and drafting this Alert.