The Department of Health and Human Services’ Office for Civil Rights has announced a $475,000 Presense Healthcare HIPAA settlement has been agreed. This is the first HIPAA enforcement action of 2017 and the first time OCR has settled a case solely based on the delayed issuing of breach notifications to individuals impacted by a protected health information breach.
In 2013, Presense St. Joseph Medical Center, a hospital run by Illinois-based Presense Healthcare, discovered that operating room schedules containing 836 individuals protected health information had gone missing from the Presense Surgery Center at St. Josephs.
The documents contained a range of sensitive information on patients, including names, dates of birth, medical record numbers, treatment dates, procedures performed, anesthesia administered, and surgeons’ names. The documents were discovered to be missing on October 22, 2013; however, OCR was not notified of the breach until January 31, 2016, 104 days after the discovery of the breach.
The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA-covered entities to report breaches of protected health information to OCR within 60 days of the discovery of a breach. All individuals impacted by the breach must also be notified within 60 days of the discovery date. OCR investigators determined that breach notification letters were not issued until 101 days after the breach: 31 days after the Breach Notification Rule deadline.
The HIPAA Breach Notification Rule also requires covered entities to notify prominent media outlets of a breach of more than 500 records, yet those notifications occurred 106 days after the breach was discovered – 36 days after the Notification Rule deadline had passed.
Before taking the decision to fine healthcare organizations, OCR investigators look for any evidence of historic HIPAA violations. OCR discovered that Presense Healthcare had violated the Breach Notification Rule on several occasions. A number of smaller breaches had occurred in 2015 and 2016, and in several cases, Presense Healthcare had unnecessarily delayed the issuing of breach notification letters to patients.
In addition to the $475,000 Presense Healthcare HIPAA settlement, a corrective action plan must be adopted. The CAP requires Presense Healthcare to update policies and procedures and ensure that notification letters are sent within the timeframe stipulated in the HIPAA Breach Notification Rule.
The $475,000 Presense Healthcare HIPAA settlement should serve as a reminder to all HIPAA-covered entities that individuals must be notified of PHI breaches before the 60-day Breach Notification Rule deadline.
OCR Director Jocelyn Samuels issued a statement about the Presense Healthcare HIPAA settlement explaining “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”