August 17, 2017

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

August 14, 2017

Subscribe to Latest Legal News and Analysis

First HIPAA Enforcement Action of 2017 – Failure to Provide Timely Notice of Breach to OCR

Key Takeaways

  • First OCR Enforcement Action of 2017
  • Failure to provide prompt notices to affected individuals, media outlets, and OCR
  • Payment of $475,000
  • The deadline for reporting 2016 breaches affecting fewer than 500 individuals is March 1.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced its first Health Insurance Portability and Accountability Act (HIPAA) settlement of the year regarding the untimely reporting of a breach of unsecured protected health information (PHI). The OCR settlement is with Presence Health, an Illinois health care network with 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. The settlement includes a $475,000 fine and a two-year corrective action plan that subjects Presence Health’s HIPAA compliance to close scrutiny by HHS. The settlement also provides a not so gentle reminder to make sure that breach notification reports are filed in a timely manner.

The settlement arose from an October 2013 breach involving the discovery that paper-based operating room schedules, which contained unsecured PHI, including names, dates of birth, medical record numbers and dates of procedures, of 836 individuals, were missing from the Presence Surgery Center at Presence St. Joseph Medical Center. Presence St. Joseph Medical Center notified the affected individuals, the media, and HHS, respectively, more than 100 calendar days after Presence Health discovered the breach. While notice to affected individuals and OCR is required without unreasonable delay and not later than 60 days after discovery of a breach affecting 500 or more individuals, notice to OCR can be delayed until 60 days after the end of the calendar year (March 1) for breaches affecting fewer than 500 individuals. The filing date for reporting smaller breaches occurring in 2016 is fast approaching. Covered entities should begin preparing to file their breach notification reports with OCR.

The OCR investigation of Presence Health also included a review of reports of breaches affecting fewer than 500 individuals that were submitted in 2015 and 2016. The investigation revealed that with regard to several of those reported breaches, Presence failed to provide timely written breach notifications to the individuals whose PHI had been compromised as a result of those breaches.

More information on the settlement and the corrective action plan is available here.

©2017 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Katherine Armstrong, Data Privacy Lawyer, Drinker Biddle Law firm

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

Jennifer Breuer, health care, attorney, Drinker Biddle, law firm

Jennifer R. Breuer is Vice Chair of Drinker Biddle's Health Care Practice Group and Co-Chair of the firm’s Women's Leadership Committee. Jennifer represents health care providers and suppliers in transactional, compliance and regulatory matters, with a focus on Stark Law and Anti-Kickback Statute compliance for hospital-physician relationships and data strategy/privacy law compliance for electronic health records, health information exchanges and other technology platforms. She also regularly assists in the development of compliance strategies for ehealth and telemedicine providers.

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...