HIPAA Update: Illinois Health Care Network to Pay $475K for Untimely Breach Notifications
The Department of Health & Human Services (HHS), Office for Civil Rights (OCR) recently entered into a resolution agreement with Presence Health Network (Presence) stemming from delayed breach notification to affected individuals, the media and the OCR. In late 2013, a hospital in the Presence network discovered that paper-based operating room schedules, containing the PHI of 836 individuals, went missing from the hospital’s surgery center. In the report to the OCR, Presence noted that, due to a miscommunication between its workforce members, there was a delay in its provision of breach notifications. In particular, notifications, which are required to be made as soon as possible but within 60 days, were made after 104 days to the affected individuals, 106 days to the media and 101 days to the OCR. In the course of investigating this breach, the OCR also reviewed other breach notifications made by Presence that had been untimely made.
Presence will pay HHS $475,000 in resolution of the allegations, and has entered into a “Corrective Action Plan” with OCR under which Presence must, among other things, revise its existing policies and procedures relating to the HIPAA Breach Notification Rule. The resolution agreement should serve as a warning and reminder to covered entities of the importance of having in place a current and effective breach notification policy, of investigating suspected and alleged breaches in a timely manner and for ensuring that all required notifications are made within required timeframes.