Health Law Blog - Healthcare Legal Issues

HIPAA Breach Notification Settlement – First Case of Untimely Notice of Breach

Failing to Provide Breach Notification on Time

An OCR settlement with Presence Health is heralded as the first OCR settlement that resulted from a failure to report a breach of unsecured un-secured protected health information (PHI) within the time-frames required under applicable HIPAA regulations.  Failing to meet applicable time-frames cost Presence $475,000 to settle with OCR.

The case arose when paper-based operating schedules, which contain PHI of 836 individuals, were found to be missing from the surgery center at one of the provider’s medical centers.  The operating schedules were discovered to have been missing on October 22, 2013 but breach notification was not provided to OCR until January 31, 2014.  The notification was not provided in time to meet the requirement that a covered entity notify OCR of a breach without unreasonable delay and within 60 days of discovery.  The breach disclosure rules that are applicable to breaches affecting 500 or more individuals were applicable.  These rules required notification to prominent media outlets, the affected individuals, and OCR.

In its press release covering this settlement, the OCR stressed that “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements…Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

It is unclear exactly why the provider failed to meet the regulatory requirements in this case.  The settlement is a good example of why it is necessary for covered entities to have clear policies describing the process to be followed when faced with a potential breach situation.  This is also an area of OCR audit under the Stage II OCR audit program.  Providers should be certain that their breach disclosure policies and procedures are in place.  There have been changes to the breach disclosure regulations over the years, so policies should be reviewed to be certain that they are in compliance with current law and have been properly updated.

Random Posts


Tags: , , ,

Comments are closed.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.