Delayed HIPAA Breach Notification Leads to $475,000 Settlement

by | Jan 20, 2017

The first HIPAA settlement of 2017 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). This is also the first settlement to date specifically based on an unnecessary delay to breach notification after the exposure of patients’ protected health data. Presence Health, one of the largest healthcare networks providing cover for residents of Illinois, has agreed to pay OCR $475,000 to settle possible HIPAA Breach Notification Rule breaches.

After a breach of PHI occurs, the HIPAA Breach Notification Rule requires covered bodies to issue breach notification letters to all affected people advising them of the privacy breach. Those letters need to be sent within 60 days of the discovery of the privacy breach, although covered bodies should not delay the issuing of breach notifications to patients or health plan members without good cause.

Additionally, if the privacy breach affects more than 500 people, a breach report must be filed to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered bodies to issue a breach notice to the media. Covered bodies should also place a substitute breach notice in a prominent place the official company website to alert patients or plan subscribers of the breach.

Smaller breaches impacting fewer than 500 people must also be made known to OCR, although covered bodies can report these smaller breaches annually within 60 days of the end of the calendar year. Covered bodies should note that state data breach laws may not allow such delays and that, regardless of the number of individuals impacted by a breach, HIPAA requires subscribers to always be notified within 60 days of a PHI breach.

Presence Health suffered a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been taken from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be found. The documents held sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures carried out, treatment dates, the types of anaesthesia given, and names of the surgeons that performed operations.

Presence Health became aware that the documents were not present on October 22, 2013, yet OCR was not notified of the violation until January 31, 2014, more than four weeks after the 60-day HIPAA Breach Notification Rule deadline.

OCR reviews all privacy breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was filed 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had expired. A media notice was released, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were made aware of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had expired.

Investigators ruled that this was not the only time where breach notifications to patients had been delayed. Presense Health had suffered a number of smaller PHI breaches in 2015 and 2016, yet for some of those breaches, Presense Health did not provide affected individuals with breach notifications in adequate time.

Revealing the resolution agreement and settlement, OCR Director Jocelyn Samuels stated “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.”

She added that the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The settlement will serve as a warning to HIPAA covered entities that unnecessary breach notification delays can carry financial ramifications. 60 days is the maximum limit for reporting (and announcing) PHI breaches, not a guideline.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy