- Healthcare network Presence Health recently agreed to a $475,000 OCR HIPAA settlement following a reported data breach and a subsequent delayed breach notification process.
Presence submitted a breach notification report to OCR on January 31, 2014, stemming from an incident on October 22, 2013. The health network discovered that paper-based operating room schedules containing the PHI of 836 individuals was missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.
An OCR investigation found that “Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.”
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” OCR Director Jocelyn Samuels said in a statement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
Presence St. Joseph Medical Center explained that there was a delay in the notification process because of miscommunications between its workforce members, according to the Corrective Action Plan.
The Department of Health and Human Services (HHS) also reviewed Presence Health's reports submitted in 2015 and 2016, regarding breaches affecting fewer than 500 Individuals.
“HHS learned that, with regard to several of those reported breaches, the Presence Health entities had failed to provide timely written breach notifications to the individuals whose PHI had been compromised as a result of those breaches,” the CAP stated.
Along with the settlement payment, Presence must also revise its existing policies and procedures related to complying with the Breach Notification Rule requirements and distribute its approved policies and procedures to all workforce members. Furthermore, all necessary training materials must be sent out and Presence workforce members need to receive annual retraining on any new materials.
“Each Presence Health workforce member who Is required to receive training shall certify, In electronic or written form, that he or she received the training,” the CAP read. “The training certification shall specify the date on which the training was received.”
Per the HIPAA Breach Notification Rule, individual notification must take place without unreasonable delay or no later than 60 days following the breach discovery. This is true regardless of the size of the potential data breach - either more or less than 500 individuals.
In instances where fewer than 500 people are affected, covered entities must make an annual report. However, these notices are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”
This is the first OCR HIPAA settlement announced for 2017. Last year, risk analysis was a key focus area, with OCR maintaining the importance of healthcare organizations conducting regular and comprehensive risk analyses. Having proper business associates that are regularly updated were also listed as top areas for covered entities.
For example, Illinois-based healthcare system Advocate Health Care (Advocate) agreed to a $5.5 million settlement after multiple alleged HIPAA violations and noncompliance issues. Advocate had submitted three data breach notification reports to HHS between August 23, 2013 and November 1, 2013.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Samuels said in a 2016 statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”