- First OCR Enforcement Action of 2017
- Failure to provide prompt notices to affected individuals, media outlets, and OCR
- Payment of $475,000
- The deadline for reporting 2016 breaches affecting fewer than 500 individuals is March 1.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced its first Health Insurance Portability and Accountability Act (HIPAA) settlement of the year regarding the untimely reporting of a breach of unsecured protected health information (PHI). The OCR settlement is with Presence Health, an Illinois health care network with 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. The settlement includes a $475,000 fine and a two-year corrective action plan that subjects Presence Health’s HIPAA compliance to close scrutiny by HHS. The settlement also provides a not so gentle reminder to make sure that breach notification reports are filed in a timely manner.
The settlement arose from an October 2013 breach involving the discovery that paper-based operating room schedules, which contained unsecured PHI, including names, dates of birth, medical record numbers and dates of procedures, of 836 individuals, were missing from the Presence Surgery Center at Presence St. Joseph Medical Center. Presence St. Joseph Medical Center notified the affected individuals, the media, and HHS, respectively, more than 100 calendar days after Presence Health discovered the breach. While notice to affected individuals and OCR is required without unreasonable delay and not later than 60 days after discovery of a breach affecting 500 or more individuals, notice to OCR can be delayed until 60 days after the end of the calendar year (March 1) for breaches affecting fewer than 500 individuals. The filing date for reporting smaller breaches occurring in 2016 is fast approaching. Covered entities should begin preparing to file their breach notification reports with OCR.
The OCR investigation of Presence Health also included a review of reports of breaches affecting fewer than 500 individuals that were submitted in 2015 and 2016. The investigation revealed that with regard to several of those reported breaches, Presence failed to provide timely written breach notifications to the individuals whose PHI had been compromised as a result of those breaches.