On January 9, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) announced the first HIPAA enforcement action against a health care provider for failing to make a timely report of a breach of unsecured protected health information (PHI). Presence Health (Presence) agreed to pay $475,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A covered entity is:

(1) A health plan, (2) A health care clearinghouse, or (3) A health care provider who transmits any health information in electronic form.

Similar breach notification provisions implemented and enforced by the Federal Trade Commission apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. In addition, state breach reporting laws may impose other requirements. California’s Health and Safety Code section 1280.15(b) requires a clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the California Department of Public Health no later than 15 business days after detection.

Presence is one of the largest health care networks in Illinois. It discovered the loss of paper-based operating room schedules, which contained PHI of 836 individuals, from the surgery center of Presence St. Joseph Medical Center in Joliet, Illinois.

OCR Director Jocelyn Samuels explains:

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”