First of Its Kind HIPAA Enforcement Action
Monday, January 23, 2017
On January 9, 2017, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), issued a Press Release outlining a recent settlement with the Presence Health Network based upon potential violations of the HIPAA Breach Notification Rules’ requirements for the timely reporting of a breach. This is the first HIPAA enforcement action for an untimely report of a breach of unsecured protected health information.
According to the Press Release and the Resolution Agreement between HHS and Presence Health Network, on October 22, 2013, Presence Health Network discovered that a paper operating room schedule was missing from one of its surgery centers. This list contained protected health information for 836 individuals. Due to a miscommunication between Presence Health Network’s staff, it failed to timely notify the affected individuals, the media, and OCR/HHS. When there is a breach that involves more than 500 individuals, the HIPAA regulations generally require notice to affected individuals, OCR/HHS, and prominent media outlets “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” Here, Presence Health Network provided notice to OCR/HHS 101 days after discovery of the breach, to affected individuals 104 days after discovery of the breach, and to prominent media outlets 106 days after discovery of the breach.
Presence Health Network agreed to a $475,000 payment to HHS and a two year Corrective Action Plan which includes the revision of existing policies and procedures, employee training, and various reports to HHS. In the Press Release, the OCR Director, Jocelyn Samuels, explained the importance of having “clear policies and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” in order to allow people the opportunity to “take action that could help mitigate any potential harm caused by the breach.” This latest HIPAA related settlement serves as a reminder to covered entities and business associates to review, revise, and implement robust HIPAA compliance plans to make sure you are reporting breaches in a timely manner.
If you are a covered entity or business associate subject to the HIPAA regulations, contact any BrownWinick attorney in the Health Law Practice Group to assist you in the implementation or revision of your HIPAA compliance plan.
 45 C.F.R. §§ 164.404(b), 406(b); see 45 C.F.R. § 408(b).