HIPAA

First HIPAA Breach Notification Settlement Totals $475,000

Patient health information breaches—whether from hacking, glitches or just plain old carelessness—remain an all too common occurrence in labs and other health care institutions. Four years ago, a new HIPAA rule took effect requiring providers to furnish timely notification of such breaches. And on Jan. 3, a large Illinois health system named Presence Health became the first provider to settle allegations it violated those notification requirements.

The Rule

Under the HIPAA rule, providers must furnish notification of breaches to three sets of recipients:

  1. The HHS Office of Civil Rights (OCR);
  2. The individuals affected by the breach; and
  3. The media (if the breach affects 500 or more individuals).

The deadline for notification: within 60 days of discovering the breach.

What Happened

On Oct. 22, 2013, Presence discovered that paper-based OR schedules for one of its surgery centers had been removed from the files. The missing records listed personal health information of 836 individuals, including names, birth dates, medical record numbers, dates and types of procedures received and anesthesia administered.

It was a breach requiring notification under the HIPAA rule. The good news is that Presence did send out all of the required notices. The bad news is that it did so only well after the 60-day deadline had expired:

Notice Recipient Notice Due Date Actual Notice Date Days Late
OCR Dec. 22, 2013 Jan. 31, 2014 41
836 individual patients Dec. 22, 2013 Feb. 3, 2014 44
Media outlets Dec. 22, 2013 Feb. 5, 2014 46

The Case

The OCR charged Presence with a separate HIPAA violation for each one of the notices that was late (as well as additional violations committed later on that were discovered during the investigation). Faced with potential liability in the millions, Presence decided to settle the claims. The price tag: $475,000 and the promise to adopt a Corrective Action Plan (CAP) implementing measures to prevent future violations.

Takeaway

Based on the settlement agreement, it appears that Presence understood and made earnest efforts to comply with its breach notification obligations. Unfortunately, it took too long to do so. Although it is not clear why the notices were late, what can be said with confidence is that implementing clear and specific rules and timetables for responding to and reporting data breaches is crucial to ensure compliance with HIPAA breach notification requirements.

CLOSE TO VIEW ARTICLE x

You have 8 articles left to view this month.

Your 8 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters for just $47!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!

You need to have an account to access this content.

Please Login...

Email Address

Password

or Register for free for a Limited Access account.

Email Address


(-0000g2)