Presence Health Hit With Hefty Fine for Data Breach

One of the first things all health care providers and other HIPAA covered entities must consider when learning of a data breach is HIPAA’s notification requirements.  In accordance with the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, HIPAA covered entities are required to report breaches of unsecured protected health information (PHI) to affected individuals, the HHS and, under certain circumstances, the media. The Rule generally requires notification no later than 60 days after discovery of a breach.

Recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) pursued its first enforcement action against a healthcare system for failure to timely report a breach of unsecured PHI. The enforcement action was brought against Presence Health, a large healthcare network in Illinois. In 2013, Presence Health learned that paper operating room schedules containing PHI for over 800 patients were missing. While it did notify the affected individuals, media, and HHS, it did not do so until over 100 days after it discovered the breach, in violation of the deadlines set forth under the HIPAA Notification Rule. Presence Health settled with OCR, entering into a resolution agreement in which the healthcare network agreed to pay $475,000 and also change and/or enact several policies and procedures regarding breach reporting and protection of PHI.

This settlement reinforces OCR’s commitment to enforcing data breach laws, and specifically reporting requirements. To avoid a similar situation, HIPAA covered entities should ensure that they (1) know the reporting requirements and have them readily accessible, (2) establish policies and procedures that clearly delineate specific employee roles in complying with the reporting requirements in the event of a breach, and (3) meet all reporting deadlines. As made perfectly clear in the Presence Health matter, the reporting deadlines are not “soft” deadlines.