Brief

$475,000 fine marks first HIPAA enforcement action over breach notification timing

Dive Brief:

  • The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has taken action against a healthcare facility for failing to report a breach of unsecured protected health information (PHI) in a timely manner.
  • Presence Health, a large healthcare system serving Illinois, settled the potential violations with a $475,000 payment and implementation of a corrective action plan.
  • Presence Health itself reported the breach, but not within 60 days of discovering the problem, as is required by law.

Dive Insight:

Presence Health reported on January 31, 2014, that paper records containing the PHI of 836 individuals were missing. The problem is that the breach had been discovered on October 22, 2013, over three months earlier.

In the first years after the Health Insurance Portability and Accountability Act, no civil fines were assessed against healthcare providers, despite tens of thousands of privacy violations. Instead, HHS focused on constructive improvements, reported the The Wall Street Journal in 2008. That approach began to change in 2009 with the passage of the HITECH Act, which was finalized in January 2013. While there have been some headline-grabbing sanctions for large data breaches over the years, this is the first sanction based solely on a delay in reporting a breach.

The oversharing atmosphere on social media presents new compliance challenges for providers. And with a majority of providers having adopted EHRs, there are plenty of opportunities for error. Although HHS still seems to be more interested in improvement than punishment — such as with the OCR’s upcoming HIPAA audits — healthcare entities may find that they’re facing sanctions, not just corrective action requirements, should they violate any HIPAA provisions.

Filed Under: Health IT Health Law Hospital Administration Policy & Regulation
Top image credit: Wikipedia