Home 5 Lab Industry Advisor 5 Lab Compliance Advisor 5 Compliance Guidance-lca 5 First HIPAA Breach Notification Settlement Totals $475,000

First HIPAA Breach Notification Settlement Totals $475,000

by | Jan 16, 2017 | Compliance Guidance-lca, Enforcement-lca, Essential, HIPAA-lca, Lab Compliance Advisor, News at a Glance-lca

From - G2 Compliance Advisor Patient health information breaches—whether from hacking, glitches or just plain old carelessness… . . . read more

Patient health information breaches—whether from hacking, glitches or just plain old carelessness—remain an all too common occurrence in labs and other health care institutions. Four years ago, a new HIPAA rule took effect requiring providers to furnish timely notification of such breaches. And on Jan. 3, a large Illinois health system named Presence Health became the first provider to settle allegations it violated those notification requirements.

The Rule

Under the HIPAA rule, providers must furnish notification of breaches to three sets of recipients:

  1. The HHS Office of Civil Rights (OCR);
  2. The individuals affected by the breach; and
  3. The media (if the breach affects 500 or more individuals).

The deadline for notification: within 60 days of discovering the breach.

What Happened

On Oct. 22, 2013, Presence discovered that paper-based OR schedules for one of its surgery centers had been removed from the files. The missing records listed personal health information of 836 individuals, including names, birth dates, medical record numbers, dates and types of procedures received and anesthesia administered.

It was a breach requiring notification under the HIPAA rule. The good news is that Presence did send out all of the required notices. The bad news is that it did so only well after the 60-day deadline had expired:

Notice Recipient Notice Due Date Actual Notice Date Days Late
OCR Dec. 22, 2013 Jan. 31, 2014 41
836 individual patients Dec. 22, 2013 Feb. 3, 2014 44
Media outlets Dec. 22, 2013 Feb. 5, 2014 46

The Case

The OCR charged Presence with a separate HIPAA violation for each one of the notices that was late (as well as additional violations committed later on that were discovered during the investigation). Faced with potential liability in the millions, Presence decided to settle the claims. The price tag: $475,000 and the promise to adopt a Corrective Action Plan (CAP) implementing measures to prevent future violations.


Based on the settlement agreement, it appears that Presence understood and made earnest efforts to comply with its breach notification obligations. Unfortunately, it took too long to do so. Although it is not clear why the notices were late, what can be said with confidence is that implementing clear and specific rules and timetables for responding to and reporting data breaches is crucial to ensure compliance with HIPAA breach notification requirements.

Subscribe to view Essential

Start a Free Trial for immediate access to this article