The first HIPAA breach penalty of 2017 is calling attention to a lesser-discussed aspect of the federal laws regulating protected health information (PHI): The HIPAA Breach Notification Rule.
Presence Health of Illinois has agreed to pay $475,000 to settle a case alleging the healthcare network waited more than 100 days to notify patients, authorities and the media that a breach of private medical information had occurred.
Under HIPAA rules, covered entities must notify victims “without unreasonable delay and within 60 days” of discovering a breach.
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) must be notified simultaneously, and any breach involving more than 500 individuals must also be publicized in major media outlets where the victims reside.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” OCR director Jocelyn Samuels said in today’s statement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
Presence Health operates hospitals, doctors’ offices, long-term care, senior living, mental health and hospice facilities.
MSPs continue to realize lucrative opportunities managing networks, data and compliance issues for clients in the healthcare industry.
But the attractive business opportunities can carry substantial risk in the event protected health information is mishandled.
HIPAA requires third parties that handle electronic PHI, or ePHI, to be formally designated as “business associates.”
Last year, HIPAA-covered entities and their business associates faced an enforcement crackdown that resulted in a combined $23.5 million in settlement fines, up from just $6.2 million in all of 2015.
Until today, all of the settlement payments stemmed from violations of the HIPAA “Security Rule” or "Privacy Rule" which governs how ePHI is to be handled securely.
Monday’s announcement marks the first-ever settlement payment for violation of the HIPAA “Breach Notification Rule.”
In the Presence Health case, OCR was notified on Jan. 31, 2014, that paper copies of operating room schedules had gone missing on Oct. 22, 2013, from the Presence Saint Joseph Medical Center in Joliet, Ill.
As a result, PHI of 836 people was compromised, including names, birthdates, medical record numbers, dates and types of procedures, surgeon names and types of anesthesia.
OCR also determined that victims were not properly notified in several other breaches that involved fewer than 500 individuals.
Presence Health blamed the delays on “miscommunications between its workforce members.”
OCR’s full guidance on breach notifications is available on the agency’s website.
Editor's note: A previous version of this story omitted that OCR has also reached settlements in the past for violations of HIPAA's "Privacy Rule."
Send tips and news to [email protected].