[BreachExchange] First HIPAA Enforcement Action of 2017 – Failure to Provide Timely Notice of Breach to OCR

[Inga Goddijn]

http://www.natlawreview.com/article/first-hipaa-enforcement-action-2017-failure-to-provide-timely-notice-breach-to-ocr

Key Takeaways:
First OCR Enforcement Action of 2017
Failure to provide prompt notices to affected individuals, media outlets,
and OCR
Payment of $475,000
The deadline for reporting 2016 breaches affecting fewer than 500
individuals is March 1.

The U.S. Department of Health and Human Services (HHS), Office for Civil
Rights (OCR) has announced its first Health Insurance Portability and
Accountability Act (HIPAA) settlement of the year regarding the untimely
reporting of a breach of unsecured protected health information (PHI). The
OCR settlement is with Presence Health, an Illinois health care network
with 150 locations, including 11 hospitals and 27 long-term care and senior
living facilities. The settlement includes a $475,000 fine and a two-year
corrective action plan that subjects Presence Health’s HIPAA compliance to
close scrutiny by HHS. The settlement also provides a not so gentle
reminder to make sure that breach notification reports are filed in a
timely manner.

The settlement arose from an October 2013 breach involving the discovery
that paper-based operating room schedules, which contained unsecured PHI,
including names, dates of birth, medical record numbers and dates of
procedures, of 836 individuals, were missing from the Presence Surgery
Center at Presence St. Joseph Medical Center. Presence St. Joseph Medical
Center notified the affected individuals, the media, and HHS, respectively,
more than 100 calendar days after Presence Health discovered the breach.
While notice to affected individuals and OCR is required without
unreasonable delay and not later than 60 days after discovery of a breach
affecting 500 or more individuals, notice to OCR can be delayed until 60
days after the end of the calendar year (March 1) for breaches affecting
fewer than 500 individuals. The filing date for reporting smaller breaches
occurring in 2016 is fast approaching. Covered entities should begin
preparing to file their breach notification reports with OCR.

The OCR investigation of Presence Health also included a review of reports
of breaches affecting fewer than 500 individuals that were submitted in
2015 and 2016. The investigation revealed that with regard to several of
those reported breaches, Presence failed to provide timely written breach
notifications to the individuals whose PHI had been compromised as a result
of those breaches.

More information on the settlement and the corrective action plan is
available here <https://www.hhs.gov/sites/default/files/presence-ra-cap.pdf>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170111/d3606a9c/attachment.html>