On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.
Presence Health, a large health care network in Illinois with over 150 locations, submitted a breach report to OCR on January 31, 2014, indicating that it had discovered a breach on October 22, 2013 that involved missing paper-based operating room schedules. The schedules contained protected health information (“PHI”) such as patient names, medical record numbers, and dates and types of medical procedures. OCR investigated Presence Health and found that it notified affected individuals about breaches in 2015 and 2016 in an untimely manner that did not meet the 60-day notification requirement.
The resolution agreement requires Presence Health to pay $475,000 to OCR and enter into a Corrective Action Plan that obligates Presence Health to:
- revise its policies and procedures related to complying with the Breach Notification Rule, including policies and procedures that set forth its workforce members’ roles and responsibilities with respect to (1) receiving and addressing internal and external breach reports, (2) completing risk assessments of potential breaches of unsecured PHI and (3) preparing required notifications to individuals, the media and OCR;
- modify its policies and procedures for sanctions against workforce members who fail to comply with the entity’s HIPAA procedures;
- distribute the revised policies and procedures to all Presence Health workforce members;
- submit its security awareness training program to OCR and provide training to all workforce members;
- report any events of noncompliance with its HIPAA policies and procedures; and
- submit annual compliance reports for a period of two years.
In announcing the settlement with Presence Health, OCR Director Jocelyn Samuels noted that “[c]overed entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She also emphasized that “[i]ndividuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
This settlement puts covered entities on notice that they must act quickly following the discovery of a breach of unsecured PHI. It appears OCR will now begin to more vigorously enforce the requirement to provide notifications to individuals and submit breach notification reports for breaches affecting 500 or more individuals to OCR within 60 days of discovering a breach.