HHS Takes First Enforcement Action Over Reporting of HIPAA Breach

The HHS investigation showed Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

The U.S. Department of Health and Human Services' Office for Civil Rights on Jan. 9 announced the department's first Health Insurance Portability and Accountability Act (HIPAA) settlement based on the untimely reporting of a breach of unsecured protected health information (PHI), saying Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.

The agency described Chicago-based Presence Health as one of the largest health care networks serving Illinois, with about 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, as well as physicians' offices and health care centers, home care, hospice care, and behavioral health services. "With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether," the agency's announcement states.

It says the office received a breach notification report from Presence Health on Jan. 31, 2014. It indicated that, on Oct. 22, 2013, Presence discovered that paper-based operating room schedules that contained the PHI of 836 individuals were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Ill., and that the data included affected individuals' names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. OCR's investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

"Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule's timeliness requirements," said OCR Director Jocelyn Samuels. "Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach."

The Resolution Agreement and Corrective Action Plan are available here.

OCR's guidance on breach notification may be found at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.

Download Center

HTML - No Current Item Deck
  • Free Safety Management Software Demo

    IndustrySafe Safety Management Software helps organizations to improve safety by providing a comprehensive toolset of software modules to help businesses identify trouble spots; reduce claims, lost days, OSHA fines; and more.

  • Get the Ultimate Guide to OSHA Recordkeeping

    When it comes to OSHA recordkeeping there are always questions regarding the requirements and in and outs. IndustrySafe is here to help. We put together this page with critical information to help answer your key questions about OSHA recordkeeping.

  • Safety Training 101

    When it comes to safety training, no matter the industry, there are always questions regarding requirements and certifications. We put together a guide that’s easy to digest so you can ensure you're complying with OSHA's training standards.

  • Conduct EHS Inspections and Audits

    Record and manage your organization’s inspection data with IndustrySafe’s Inspections module. IndustrySafe’s pre-built forms and checklists may be used as is, or can be customized to better suit the needs of your organization.

  • Track Key Safety Performance Indicators

    IndustrySafe’s Dashboard Module allows organizations to easily track safety KPIs and metrics. Gain increased visibility into your business’ operations and safety data.

  • Industry Safe
comments powered by Disqus