Breach Notification Violation Ends in $475,000 Settlement
Patient health information breaches—whether from hacking, glitches or just plain old carelessness—remain an all too common occurrence in labs and other health care institutions. Three years ago, a new HIPAA rule took effect requiring providers to furnish timely notification of such breaches. And on Jan. 3, a large Illinois health system named Presence Health became the first provider to settle allegations it violated those notification requirements. The Rule Under the HIPAA rule, providers must furnish notification of breaches to three sets of recipients: The HHS Office of Civil Rights (OCR); The individuals affected by the breach; and The media (if the breach affects 500 or more individuals). The deadline for notification: within 60 days of discovering the breach. What Happened On Oct. 22, 2013, Presence discovered that paper-based OR schedules for one of its surgery centers had been removed from the files. The missing records listed personal health information of 836 individuals, including names, birth dates, medical record numbers, dates and types of procedures received and anesthesia administered. It was a breach requiring notification under the HIPAA rule. The good news is that Presence did send out all of the required notices. The bad news is that it did so […]
Patient health information breaches—whether from hacking, glitches or just plain old carelessness—remain an all too common occurrence in labs and other health care institutions. Three years ago, a new HIPAA rule took effect requiring providers to furnish timely notification of such breaches. And on Jan. 3, a large Illinois health system named Presence Health became the first provider to settle allegations it violated those notification requirements.
The Rule
Under the HIPAA rule, providers must furnish notification of breaches to three sets of recipients:
- The HHS Office of Civil Rights (OCR);
- The individuals affected by the breach; and
- The media (if the breach affects 500 or more individuals).
The deadline for notification: within 60 days of discovering the breach.
What Happened
On Oct. 22, 2013, Presence discovered that paper-based OR schedules for one of its surgery centers had been removed from the files. The missing records listed personal health information of 836 individuals, including names, birth dates, medical record numbers, dates and types of procedures received and anesthesia administered.
It was a breach requiring notification under the HIPAA rule. The good news is that Presence did send out all of the required notices. The bad news is that it did so only well after the 60-day deadline had expired:
| Notice Recipient | Notice Due Date | Actual Notice Date | Days Late |
|---|---|---|---|
| OCR | Dec. 22, 2013 | Jan. 31, 2014 | 41 |
| 836 individual patients | Dec. 22, 2013 | Feb. 3, 2014 | 44 |
| Media outlets | Dec. 22, 2013 | Feb. 5, 2014 | 46 |
The Case
The OCR charged Presence with a separate HIPAA violation for each one of the notices that was late (as well as additional violations committed later on that were discovered during the investigation). Faced with potential liability in the millions, Presence decided to settle the claims. The price tag: $475,000 and the promise to adopt a Corrective Action Plan (CAP) implementing measures to prevent future violations.
Takeaway: Based on the settlement agreement, it appears that Presence understood and made earnest efforts to comply with its breach notification obligations. Unfortunately, it took too long to do so. Although it is not clear why the notices were late, what can be said with confidence is that implementing clear and specific rules and timetables for responding to and reporting data breaches is crucial to ensure compliance with HIPAA breach notification requirements.
Subscribe to view Essential
Start a Free Trial for immediate access to this article