By the Kean Miller Health Law Team

On January 9, 2017, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its first HIPAA settlement arising from a failure to provide timely breach notification. Presence Health Network (Presence), one of the largest health care systems in Illinois, agreed to pay $475,000 as a result of Presence’s 2013 failure to provide timely notification in accordance with the HIPAA Breach Notification Rule. A copy of the Resolution Agreement between Presence and OCR is available here.

In 2013, Presence reported to OCR the loss of paper-based operating room schedules containing protected health information of 836 individuals. Under the Breach Notification Rule, HIPAA covered entities are required to provide written notification to individuals affected by a breach without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. Additionally, for breaches affecting more than 500 individuals, contemporaneous notice must also be provided to OCR and notice must be provided to prominent media outlets serving the State or jurisdiction where more than 500 affected individuals reside. According to the Resolution Agreement between Presence and OCR, Presence failed to comply with all of the required notification deadlines. OCR’s investigation revealed that Presence notified the affected individuals 104 days following discovery, OCR 101 days after discovery, and the media 106 days after discovery. Moreover, during its investigation, OCR identified several other occasions where Presence was late notifying individuals of breaches affecting less than 500 individuals.

The settlement is an important reminder to covered entities of the need to timely and effectively investigate and report data breaches. As noted in the Resolution Agreement, each day that a notification is late is a separate violation of the Breach Notification Rule. Covered entities need to have effective policies and procedures in place to appropriately respond to and report data breaches. Additionally, covered entities must adequately train their workforce members on how to identify and internally report potential data breaches.

As a reminder, the deadline for reporting 2016 breaches involving less than 500 individuals is March 1, 2017.