Breach Notification , HIPAA/HITECH , Incident & Breach Response
$475,000 HIPAA Penalty for Tardy Breach NotificationIncident Involved Relatively Small Breach of Paper Records
In a reminder of HIPAA's tough requirements for breach notification, federal regulators have issued a $475,000 financial settlement and corrective action plan for Chicago-based Presence Health tied to its tardy notification for a 2013 paper records breach affecting only about 800 individuals.
Jocelyn Samuels, director of the Department of Health and Human Service's Office for Civil Rights, which enforces HIPAA, notes that healthcare organizations "need to have a clear policy and procedures in place to respond to the [HIPAA] Breach Notification Rule's timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach."
In a statement, OCR says its settlement with Presence Health, which has 150 locations, including 11 hospitals, in Illinois, marks the agency's first HIPAA enforcement action involving the lack of timely breach notification.
OCR says that on Jan. 31, 2014, it received a breach notification report from Presence indicating that on Oct. 22, 2013, the organization discovered that paper-based operating room schedules, which contained the protected health information of 836 individuals, were missing from the surgery center at the Presence St. Joseph Medical Center in Joliet, Ill.
PHI included names, dates of birth, medical record snumbers, dates of procedures, types of procedures, surgeon names and types of anesthesia, the OCR statement says. "OCR's investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach each of the 836 individuals affected by the breach, prominent media outlets, as required [by HIPAA] for breaches affecting 500 or more individuals, and OCR," the statement says.
Corrective Action Plan
In addition to the financial payment, the resolution agreement between OCR and Presence Health calls for the organization to implement a corrective action plan that includes:
- Revising its existing policies and procedures related to breach notification;
- Distributing the updated policies and procedures to Presence Health's workforce;
- Providing training to Presence Health's workforce pertaining to those policies and procedures.
In a statement to Information Security Media Group, a Presence Health spokesman says the organization is "working diligently" with OCR on all steps required under the corrective action plan, including additional training in HIPAA policies and procedures.
"This is the culmination of a several year process working with the OCR to resolve a matter we voluntarily reported to the OCR in 2014 related to an isolated incident involving paper records at a surgery center located in Joliet, Illinois," the statement notes. "This incident did not involve any electronic records and did not involve any disclosure of patient contact or financial information. We are confident that reports on our progress to quickly implement revised policies and procedures will be positive."
Lessons for Others
OCR's action in this case is "an important reminder to get breach notices out in a timely fashion," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "This is true regardless of the format of the information."
Covered entities and business associates can take a number of steps to better respond to a breach incident, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"First, perform a risk analysis and implement a mitigation plan to address the gaps in an organization's information security program," he advises. "Second, be prepared with a comprehensive incident response plan. Even for the most thorough and sophisticated organizations, it is not 'if' but 'when' a breach will occur. Ensuring that the organization has a well thought out incident response plan is critical."
The breach response plan should include who within an organization will be notified regarding the incident and who will take the lead on investigating. It should also spell out that the media relations department should be involved early on, he says.
"It is also helpful to think about pre-contracting with organizations that provide services that might be need after a breach - like forensic investigative services and breach response assistance," he says. "Be familiar with the state and federal laws for breach notification, who has to be notified, when it must take place and what information the notice must contain. Have a contract in place before the breach happens can help reduce the chaos that occurs after the organization [learns] of a breach and is one less thing fire to put out in the midst of breach response."
More Settlements to Come?
This first HIPAA settlement of the new year follows an active enforcement year in 2016, when OCR announced 12 settlements and one civil monetary penalty case with penalties totaling about $20 million.
But will 2017 be as active an enforcement year once the Trump administration takes charge?
"One thing we have seen over the years, there is no way to predict the timing of OCR's wrapping up an enforcement action," Holtzman notes. "The settlements that result in a resolution agreement and corrective action plan are influenced by a number of outside forces, not the least of which is the willingness of a covered entity or business associate and OCR to negotiate an agreement on the amount of a penalty and the terms of a corrective action plan. The pending presidential inauguration probably will not have much influence on this process."