Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, doctors, chiropractors, dentists and other covered entities are required by law to report breaches of Protected Health Information (PHI) in a timely manner. More specifically, covered entities are required to notify the individuals affected by the breach, the media, and the OCR within 60 days of the breach. And failure to do so could leave the covered entity subject to fines and other corrective actions set forth by the OCR.
Up until now, no covered entities have been cited for failure to report breaches. Earlier this month, however, the Office for Civil Rights (OCR) announced the department's first violation due to an untimely breach notification. According to a report by the OCR, the Chicago-based healthcare provider Presence Health has agreed to pay nearly half-a-million-dollar to settle allegations that it violated the HIPAA Breach Notification Rule.
Presence Health is one of the state's largest healthcare networks, boasting 11 hospitals as well as dozens of physician offices, patient care and senior living facilities. The OCR, however, says Presence Health waited until January 31, 2014 to notify the department of a PHI breach that occurred on October 22, 2013. As stated above, the HIPAA Breach Notification Rule requires covered entities to notify the patients affected by the breach, the OCR and the media within 60 days of the breach, which Presence Health failed to do.
The incident in question affected 836 patients. Presence Health had discovered the patients' PHI was missing from its Surgery Center at the Presence St. Joseph Medical Center. This included patients' names, dates, medical record numbers, procedures, diagnoses, surgeons' names, anesthesia and more.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule's timeliness requirements," said OCR Director Jocelyn Samuels in a statement announcing the agreement. "Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach."
So, while HIPAA violations involving the Breach Notification Rule are rare – well, unheard of until now – they do occur. Failure to comply with the requirements of this Rule could leave healthcare practices subject to hefty fines.
You can learn more about this incident by accessing the OCR and Presence Health's Resolution Agreement and Corrective Action Plan by clicking here.