OCR Kicks Off The New Year With Its First Enforcement Action For Lack Of Timely Breach Notification

OCR Announced $475,000 HIPAA Settlement

OCR continues to report HIPAA violations for unauthorized access or disclosure of Protected Health Information (PHI). In 2016, OCR reported on a number of high-profile cases and record-setting settlements, including one that was over $5 million. OCR reported that breaches of PHI are increasing and an estimated 50 million people have had their PHI compromised. However, the true number of individuals that have had their PHI compromised is much greater because most breaches involve less than 500 individuals and therefore are not subject to public disclosure.

Most recently, OCR announced the first HIPAA settlement for the untimely reporting of a breach of unsecured PHI. Presence Health (Presence) agreed to a $475,000 settlement and to implement a corrective action plan (CAP). Presence is one of the largest health care networks serving Illinois and consists of approximately 150 locations, including 11 hospitals, 27 long-term care and senior living facilities, and multiple physicians’ offices and health care centers. OCR used the announcement of the Presence settlement to spotlight the timely breach notification requirement and the importance of urgent breach notification for affected individuals and regulatory agencies.

In 2014, OCR received a breach notification report from Presence concerning paper-based operating room schedules that had gone missing. These schedules contained the PHI of 836 individuals, including the following details:

• Dates and types of procedures;
• Dates of birth;
• Medical record numbers;
• Names;
• Surgeons’ names; and
• Types of anesthesia used.

Presence failed to notify OCR, the individuals affected by the breach, and prominent media outlets within 60 days of discovering the breach, as required for breaches affecting 500 or more individuals. As OCR Director Jocelyn Samuels stated in a press release, “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The timely breach notification regulation is designed to help affected individuals mitigate any harm, including the exposure of financial and personal information. During the investigation of the 2013 breach, OCR also reviewed breaches submitted by Presence entities in 2015 and 2016 that affected fewer than 500 individuals. Investigators discovered that Presence failed to provide timely notification to affected individuals in these breaches as well.

The current HIPAA settlement agreement requires Presence to revise its breach notification policies and procedures and submit them to OCR within 60 days, according to the terms of the CAP. The CAP also requires Presence to outline staff responsibilities regarding breach discovery and reporting, and risk analysis.