HIPAA legislation requires that when more than 500 individuals are affected by a breach of protected health information (PHI), covered entities are required to notify the individuals, the media, and the U.S. Department of Health and Human Services Office for Civil Rights (OCR) “without unreasonable delay” and within 60 days. OCR recently announced its first settlement based on a covered entity’s failure to do within the specified time frame.
Presence Health is one of the largest health care networks in Illinois. On October 13, 2013, printed operating room schedules were noted to be missing. These schedules contained PHI for 836 individuals and included names, dates of birth, medical record numbers, procedure information and surgeons’ names. OCR did not receive a breach notification report until January 31, 2014. Further investigation revealed that Presence Health also failed to contact each individual and the media within 60 days of discovering the breach.
Presence Health agreed to settle potential HIPAA violations by paying a fine of $475,000. The health care network is also required to implement a corrective action plan to avoid a similar occurrence in the future.
What can be learned from this? OCR is sending a clear message- if a breach occurs, have a plan and act quickly.
Covered entities must have established policies and procedures to ensure that the correct notifications take place within the required time period after any breach of PHI. Not only will this help avoid costly monetary penalties, but it also gives affected individuals time to take necessary action to minimize any harm caused by the breach.