$475K Settlement for Late HIPAA Break Notice
The Division of Health and Human Services’ OCR has publicized the 1st HIPAA payment of current year. This is additionally the 1st settlement so far exclusively based on a needless delay to break notice after the revelation of patients’ safeguarded health info. Presence Health, among the biggest healthcare systems serving people of Illinois, has consented to pay OCR $475K to resolve possible HIPAA Break Notice Law breaches.
After a break of PHI, the HIPAA Break Notice Law requires protected entities to release break notice letters to all impacted people informing them of the break. Those letters must be released within 2 months of the detection of the break, even though protected units must not defer the issuing of break notices to health plan members or patients needlessly.
Moreover, if the break affects over 500 people, a break report should be presented to OCR within 60 days as well as the Break Notice Law also requires protected units to release a break notification to famous mass media outlets. Protected units must also place an alternate break notification in a conspicuous place on the company site to warn plan members or patients to the break.
Smaller breaks affecting less than 500 people should also be informed to OCR, even though protected units can inform these smaller breaks yearly within 2 months of the close of the calendar year. Protected units must notice that state data break rules might not allow such postponements and that irrespective of the quantity of people affected by a break, HIPAA needs sick persons to always be informed within 2 months of a PHI break.
In late 2013, Presence Health suffered a break of real protected health information (PHI). Operating room timetables had been deleted from the Presence Operation Center in Joliet, Illinois, and couldn‘t be found. The files had confidential data on 836 sick persons, including names, the types of anesthesia provided, treatment dates, details of procedures performed, medical record numbers, birth dates, and names of the doctors who carried out operations.
On October 22, 2013, Presence Health became conscious that the files were lost, however, OCR wasn’t informed of the break until January 31, 2014, over a month following the 60-day HIPAA Break Notice Law limit.
OCR scrutinizes all breaks of over 500 records – and chosen branches of less than 500 files. The OCR inquiry exposed notice to OCR was released 104 days after the break was found – 34 days after the limit for informing the event had elapsed. A mass media notification was released, even though not until 106 days after the break was found – 36 days after the HIPAA Break Notice Law limit. Patients were informed of the break 101 days after detection – 31 days after the HIPAA Break Notice Law limit had elapsed.
Detectives concluded that this wasn’t the only case where break notices to patients had been deferred. Presence Health had faced many smaller PHI breaks in 2015 and 2016, however, for many of those breaks, Presence Health didn’t provide impacted people with timely break notices.
Declaring the resolution contract and payment, Jocelyn Samuels, OCR Director, said: “Protected units must have a perfect policy and processes in place to react to the Break Notice Law’s timeliness needs.” She explained the reason why people must be alerted of PHI breaks quickly, saying “People require quick notice of a break of their unsafe PHI so they may take action that might assist alleviate any possible damage caused by the break.”
The settlement must work as a notice to HIPAA protected units that needless break report deferrals can have grave financial effects. 60-days is the largest time frame for recording (and declaring) PHI breaks, not a suggestion.