HIPAA Breach Notification Settlement – First Case of Untimely Notice of Breach
Wednesday, January 25th, 2017Failing to Provide Breach Notification on Time
An OCR settlement with Presence Health is heralded as the first OCR settlement that resulted from a failure to report a breach of unsecured un-secured protected health information (PHI) within the time-frames required under applicable HIPAA regulations. Failing to meet applicable time-frames cost Presence $475,000 to settle with OCR.
The case arose when paper-based operating schedules, which contain PHI of 836 individuals, were found to be missing from the surgery center at one of the provider’s medical centers. The operating schedules were discovered to have been missing on October 22, 2013 but breach notification was not provided to OCR until January 31, 2014. The notification was not provided in time to meet the requirement that a covered entity notify OCR of a breach without unreasonable delay and within 60 days of discovery. The breach disclosure rules that are applicable to breaches affecting 500 or more individuals were applicable. These rules required notification to prominent media outlets, the affected individuals, and OCR.
In its press release covering this settlement, the OCR stressed that “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements…Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
It is unclear exactly why the provider failed to meet the regulatory requirements in this case. The settlement is a good example of why it is necessary for covered entities to have clear policies describing the process to be followed when faced with a potential breach situation. This is also an area of OCR audit under the Stage II OCR audit program. Providers should be certain that their breach disclosure policies and procedures are in place. There have been changes to the breach disclosure regulations over the years, so policies should be reviewed to be certain that they are in compliance with current law and have been properly updated.