Time is of the Essence When Reporting a Breach of PHI

Obermayer Rebmann Maxwell & Hippel LLP
Contact

The failure to timely report a breach of unsecured protected health information (PHI) has cost Presence Health (one of the largest health systems in Illinois) almost half of a million dollars.

Earlier this month, Presence Health agreed to pay $475,000 and enter into a corrective action plan (CAP) with the Office for Civil Rights (OCR) based upon its failure to timely report a data breach in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and HIPAA’s Breach Notification Rule.

On October 22 2013, Presence Health discovered that paper-based operating room schedules were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The schedules contained PHI, including the names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia used for 836 Presence Health patients. Presence Health did not notify OCR of the data breach until January 31, 2014 when Presence Health submitted a breach notification report.

During its subsequent investigation, OCR found that Presence Health failed to timely notify: (i) each of the 836 individuals affected by the breach, (ii) prominent media outlet(s), and (iii) OCR. HIPAA requires covered entities (and business associates) to report breaches without unreasonably delay and in no case later than 60 calendar days after discovery of a breach.

OCR Director Jocelyn Samuels said “[c]overed entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirement…Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The Presence Health settlement and CAP provide an important lesson for covered entities.

A breach of PHI can occur at any time, even if it is unintentional and outside of a covered entity’s control. As such, covered entities need to be ready. Covered entities need to have policies and procedures in place so that they can promptly determine whether an incident constitutes a breach of PHI and if it does, they can respond appropriately under the Breach Notification Rule.

To read a copy of the Presence press release, click here.

To read a copy of the Resolution Agreement and CAP, click here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Written by:

Obermayer Rebmann Maxwell & Hippel LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Obermayer Rebmann Maxwell & Hippel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide