Compliance leaders take note: The Department of Health and Human Services, Office for Civil Rights (OCR) is paying more attention to timely notification of HIPAA breaches. OCR’s first-ever settlement with a healthcare provider for failing to notify in a timely manner signals a change in expectations.
Presence Health, a network serving Illinois with 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, has agreed to settle with OCR by paying $475,000 and implementing a corrective action plan, OCR announced recently.
This is the first time OCR focused on when the provider reported the problem and made it the crux of the investigation and settlement. Presence reported a breach to OCR on Jan. 31, 2014 — a breach that it discovered on Oct. 22, 2013. The breach involved paper operating room schedules containing the protected health information (PHI) of 836 people.
OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, OCR, each of the 836 individuals affected by the breach, as well as prominent media outlets. Media notification is required for breaches affecting 500 or more individuals. The breach went unreported to the OCR for 101 days, to affected individuals for 104 days, and the media for106 days.
The resolution agreement and corrective action plan are available online at http://bit.ly/2iX7ZjQ.