The penalties under HIPAA can be severe. Entities have paid HIPAA penalties for failure to train, failure to apply contractual protections, failiure to protect personal health information in electronic form, failure to review protections and failure to update protections just to name a few. Now, the list above includes failure to notify of a breach fast enough.
On January 9th, 2017, the Department of Health and Human Services (HHS) announced a new HIPAA settlement with Presence Health. Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.
Presence Health is a large health care provider in Illinois with almost 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Among other things, Presence Health offers home care, hospice care, and behavioral health services. On January 31, 2014, HHS received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from a surgery center in Joliet, Illinois. The information included names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.
HHS concluded that this notification was late and outside of the required HIPAA timeframes. Interestingly, HHS stated in their news release on this penalty that:
"With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether."
To read the news release or resolution agreement, click here.
The rules under HIPAA for breaches affecting 500 or more individuals require notification without unreasonable delay--but no later than 60 days after a discovery of a breach. Furthermore, a discovery is defined as the first day the breach is known, or by exercising reasonable diligence would have been known. See HIPAA regulation 45 CFR §164.404(a)(2). This further highlights the need to have constant review of your systems and monitor your compliance. Laws in other jurisdications including state law may contain a different shorter deadline. These notification requirements can be to the individual, but also to local media outlets and HHS. If your entity is covered by HIPAA you should clearly identify policies on breach notification and follow these deadlines. If you need help with HIPAA or these policies, please contact Kinney & Larson LLP.