On January 9, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced the first HIPAA settlement with Illinois-based Presence Health based on the failure to timely provide notifications of a breach of unsecured protected health information (“PHI”) under the HIPAA Breach Notification Rule. Presence Health had failed to timely notify affected individuals, the media and OCR within 60 calendar days after discovery of a breach as required by the HIPAA Breach Notification Rule. Besides this being the first OCR HIPAA settlement of 2017, this settlement is the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.
Presence Health agreed to settle the potential allegations of violations of the HIPAA Breach Notification Rule by paying $475,000 and entering into a corrective action plan with OCR. Presence Health is one of the largest health care networks in Illinois with over 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence also has several physician offices and health care centers.
According to the OCR press release, Presence Health submitted a breach notification report to OCR on January 31, 2014, indicating that it had discovered a breach on October 22, 2013 that involved missing paper-based operating room schedules containing the PHI of 863 individuals. The OCR concluded in its notification that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 863 individuals affected by the breach. The OCR also found that Presence Health failed to timely notify prominent media outlets (as required for breaches affecting over 500 individuals) and the OCR.
The breach notification by Presence Health to the OCR was 101 calendar days after it discovered the breach. A notification was not provided to 863 affected individuals until February 3, 2014, which was 104 calendar days after discovery of the breach. Finally, Presence Health did not notify prominent media outlets until February 5, 2014, which was 106 calendar days after discovery of the breach. The basis of the breach was missing operating room schedules from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The schedules contained PHI such as individual patient names, dates of birth, medical record numbers, dates and types of medical procedures, surgeon names, and types of anesthesia.
During the course of OCR’s investigation of the October 2013 breach, OCR also reviewed breach notification reports filed by Presence Health in 2015 and 2016 regarding breaches affecting fewer than 500 individuals. OCR commented in the resolution agreement that several of the reported breaches to individuals described in the 2015 and 2016 reports to OCR were not provided timely (i.e., within 60 calendar days) to affected individuals whose PHI had been compromised as a result of those breaches.
In the OCR press release, OCR Director Jocelyn Samuels emphasized that “[c]overed entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She also emphasized that “[i]ndividuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The resolution agreement for this settlement requires Presence Health to also enter into a Corrective Action Plan that obligates Presence Health to:
- Revise its policies and procedures related to complying with the Breach Notification Rule, including policies and procedures that set forth its workforce members’ roles and responsibilities with respect to (1) receiving and addressing internal and external breach reports, (2) completing risk assessments of potential breaches of unsecured PHI and (3) preparing required notifications to individuals, the media and OCR;
- Modify its policies and procedures for sanctions against workforce members who fail to comply with the entity’s HIPAA procedures;
- Distribute the revised policies and procedures to all Presence Health workforce members;
- Submit its security awareness training program to OCR and provide training to all workforce members;
- Report any events of noncompliance with its HIPAA policies and procedures; and
- Submit annual compliance reports for a period of two years.
One of the primary lessons from this settlement for physicians and other providers is to have a clear internal policy and procedure to investigate potential breaches of individual’s PHI, and provide any required notices to individuals within 60 days of discovery of a breach, and to meet any other timelines required in the HIPAA Breach Notification Rule such as a breach notification report to the media and OCR.
Any investigations of a potential breach of an individual’s PHI and actions taken by a healthcare provider should also be documented. Finally, healthcare providers should keep in mind that “an impermissible use or disclosure of PHI is presumed to be a breach unless a covered entity or business associate demonstrates there is a low probability that the PHI has been compromised based on a risk assessment using at least the four factors contained in the Breach Notification Rule.