On January 9, 2017, Presence Health agreed to settle with the U.S. Department of Health and Human Services (HHS) potential violations under the Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely.

Presence Health is a health care system in Illinois. The alleged HIPAA violations arose from a security breach that occurred sometime in October 2013, involving lost paper-based operating room schedules that contained the protected health information (PHI) of 836 individuals. Under HIPAA, Presence Health had an obligation to notify affected individuals, the media, and HHS without unreasonable delay and no later than 60 calendar days after discovering the breach. HHS found that Presence Health provided notifications to the affected individuals 104 days after discovering the breach; to the media, 106 days after; and to HHS, 101 days after. During the course of its investigation, HHS also uncovered that Presence Health failed to provide timely breach notification for other breaches in 2015 and 2016.

Under the settlement, Presence Health has agreed to pay HHS $475,000 and comply with a comprehensive Corrective Action Plan (CAP). The CAP requires Presence Health to revise its existing policies and procedures relating to breach notification to comply with the Breach Notification Rule; revise existing policies and procedures relating to sanctions against workforce members who fail to comply with HIPAA rules; forward revised policies to HHS within 60 days for HHS’ review and approval; and adopt the policies and procedures within 30 days of HHS’ approval.

What’s the Takeaway?

This enforcement action highlights two important takeaways:

  1. The importance of complying with HIPAA rules down to the specific details. Here, the Breach Notification Rule specifies a timeline for providing notification: without unreasonable delay and no later than 60 calendar days after discovering the breach. No feet-dragging allowed when reporting HIPAA breaches.
  2. Having policies and procedures to cover breach notification (and other HIPAA requirements) is not enough. Your HIPAA policies and procedures not only have to be compliant, but they also must be implemented accordingly. That means (among other things) reporting breaches within the deadline and, as detailed in the CAP here, imposing sanctions on workforce members that fail to comply with HIPAA-related policies and procedures.