Health Chain Pays $475,000 HIPAA Penalty for Delay in Telling Victims, Authorities

The announcement marks the first-ever settlement payment for violation of HIPAA’s “Breach Notification Rule.”

Aldrin Brown, Editor-in-Chief

January 9, 2017

2 Min Read
Health Chain Pays 475K HIPAA Penalty for Delay in Telling Victims Authorities

The first HIPAA breach penalty of 2017 is calling attention to a lesser-discussed aspect of the federal laws regulating protected health information (PHI): The HIPAA Breach Notification Rule.

Presence Health of Illinois has agreed to pay $475,000 to settle a case alleging the healthcare network waited more than 100 days to notify patients, authorities and the media that a breach of private medical information had occurred.

Under HIPAA rules, covered entities must notify victims “without unreasonable delay and within 60 days” of discovering a breach.

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) must be notified simultaneously, and any breach involving more than 500 individuals must also be publicized in major media outlets where the victims reside.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” OCR director Jocelyn Samuels said in today’s statement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

Presence Health operates hospitals, doctors’ offices, long-term care, senior living, mental health and hospice facilities.

MSPs continue to realize lucrative opportunities managing networks, data and compliance issues for clients in the healthcare industry.

But the attractive business opportunities can carry substantial risk in the event protected health information is mishandled.

HIPAA requires third parties that handle electronic PHI, or ePHI, to be formally designated as “business associates.”

Last year, HIPAA-covered entities and their business associates faced an enforcement crackdown that resulted in a combined $23.5 million in settlement fines, up from just $6.2 million in all of 2015.

Until today, all of the settlement payments stemmed from violations of the HIPAA “Security Rule” or “Privacy Rule” which governs how ePHI is to be handled securely.

Monday’s announcement marks the first-ever settlement payment for violation of the HIPAA “Breach Notification Rule.”

In the Presence Health case, OCR was notified on Jan. 31, 2014, that paper copies of operating room schedules had gone missing on Oct. 22, 2013, from the Presence Saint Joseph Medical Center in Joliet, Ill.

As a result, PHI of 836 people was compromised, including names, birthdates, medical record numbers, dates and types of procedures, surgeon names and types of anesthesia.

OCR also determined that victims were not properly notified in several other breaches that involved fewer than 500 individuals.

Presence Health blamed the delays on “miscommunications between its workforce members.”

OCR’s full guidance on breach notifications is available on the agency’s website.

 

Editor’s note: A previous version of this story omitted that OCR has also reached settlements in the past for violations of HIPAA’s “Privacy Rule.”

 

Send tips and news to [email protected].

Read more about:

AgentsMSPsVARs/SIs

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like