The first HIPAA settlement of 2017 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). This is also the first settlement to date specifically based on an unnecessary delay to breach notification after the exposure of patients’ protected health data. Presence Health, one of the largest healthcare networks providing cover for residents of Illinois, has agreed to pay OCR $475,000 to settle possible HIPAA Breach Notification Rule breaches.
After a breach of PHI occurs, the HIPAA Breach Notification Rule requires covered bodies to issue breach notification letters to all affected people advising them of the privacy breach. Those letters need to be sent within 60 days of the discovery of the privacy breach, although covered bodies should not delay the issuing of breach notifications to patients or health plan members without good cause.
Additionally, if the privacy breach affects more than 500 people, a breach report must be filed to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered bodies to issue a breach notice to the media. Covered bodies should also place a substitute breach notice in a prominent place the official company website to alert patients or plan subscribers of the breach.
Smaller breaches impacting fewer than 500 people must also be made known to OCR, although covered bodies can report these smaller breaches annually within 60 days of the end of the calendar year. Covered bodies should note that state data breach laws may not allow such delays and that, regardless of the number of individuals impacted by a breach, HIPAA requires subscribers to always be notified within 60 days of a PHI breach.
Presence Health suffered a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been taken from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be found. The documents held sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures carried out, treatment dates, the types of anaesthesia given, and names of the surgeons that performed operations.
Presence Health became aware that the documents were not present on October 22, 2013, yet OCR was not notified of the violation until January 31, 2014, more than four weeks after the 60-day HIPAA Breach Notification Rule deadline.
OCR reviews all privacy breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was filed 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had expired. A media notice was released, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were made aware of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had expired.
Investigators ruled that this was not the only time where breach notifications to patients had been delayed. Presense Health had suffered a number of smaller PHI breaches in 2015 and 2016, yet for some of those breaches, Presense Health did not provide affected individuals with breach notifications in adequate time.
Revealing the resolution agreement and settlement, OCR Director Jocelyn Samuels stated “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.”
She added that the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The settlement will serve as a warning to HIPAA covered entities that unnecessary breach notification delays can carry financial ramifications. 60 days is the maximum limit for reporting (and announcing) PHI breaches, not a guideline.