If you wait too long to report a HIPAA breach, you will get fined.
That’s the takeaway from a recent settlement out of Illinois.
The Illinois health system will pay a $475,000 settlement over allegations it waited too long to report a data breach involving protected health information (PHI).
This is the first time the government has settled over an untimely reporting of a breach.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the settlement on Jan. 9, 2017.
The OCR received the breach notification report from Presence Health on Jan. 31, 2014, detailing the breach. Paper operation schedules that contained individuals names, dates of birth, medical record numbers, dates and types of procedures, surgeons names and types of anesthesia disappeared from the Presence Surgery Center in Joliet, Illinois.
It took Presence Health more than three months to report the breach, which took place on Oct. 22, 2013 and wasn’t reported to the 836 people affected until Feb. 3, 2014.
This settlement makes it clear the OCR enforces the breach notifications required.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
Under the Health Insurance Portability and Accountability Act’s Breach Notification Rule, organizations have an obligation to notify affected individuals, media outlets and the Department of Health and Human Services within 60 days of the discovery of a breach.
Colin Zick, a health care attorney with Foley Hoag LLP in Boston, told Bloomberg BNA that it “didn’t appear that Presence Health deliberately violated the rule, noting the health system said the delay was due to an internal ‘miscommunication.’ Nevertheless, the settlement reinforces that the 60-day notice period is real and meaningful to the OCR, Zick said.”
While Presence didn’t admit to any liability with the settlement, it doesn’t mean they weren’t in violation of HIPAA rules.
The OCR’s breach notification guide may be found at: http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Are you covered for identity theft?
Image: Pixabay