The U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently announced its first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (“PHI”). Chicago-based Presence Health System (“Presence Health”) agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00 and implementing a Corrective Action Plan.

On October 22, 2013, Presence Health discovered that paper-based operating room schedules containing the PHI of 836 individuals were missing from the Presence Surgery Center at Presence St. Joseph Medical Center. However, it was not until January 31, 2014 — 101 days after its discovery — that Presence Health notified HHS of the breach. Following an investigation, OCR found that Presence Health failed to notify affected individuals until February 4, 2014 (105 days after discovery), and media outlets until February 5, 2014 (106 days after discovery).

These notifications were untimely. According to OCR Director Jocelyn Samuels:

Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.

This settlement is an important reminder of the importance of ensuring timely breach notification. As provided in the HIPAA Breach Notification Rule, covered entities, upon discovery of a breach of unsecured PHI, may have up to three separate notification obligations, depending upon the number of affected individuals:

  • Individual Notification: For all breaches, notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery.
  • Media Notification: For breaches affecting more than 500 residents of a State or jurisdiction, notify prominent media outlets serving the State or jurisdiction without unreasonable delay and in no case later than 60 calendar days after discovery.
  • HHS Notification:
    • For breaches affecting 500 or more individuals, notify HHS via its web portal contemporaneously with the individual notification.
    • For breaches affecting fewer than 500 individuals, notify HHS via its web portal not later than 60 days after the end of the calendar year.