The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. Presence Health reported the breach to OCR on January 31, 2014 (101 days later), notified affected individuals on February 3, 2014 (104 days later), and notified the media on February 5, 2014 (106 days later). Presence Health explained that the delay in notification was due to miscommunication between workforce members. However, during its investigation of this situation, OCR reviewed smaller breaches affecting less than 500 individuals occurring at Presence Health in 2015 and 2016.  It was discovered that Presence Health failed to notify affected individuals in a timely manner in several of these smaller breaches as well.

On January 3, 2017, Presence Health agreed to resolve violations of the HIPAA Breach Notification Rule by agreeing to pay $475,000 and to implement a two-year corrective action plan. The Resolution Agreement and Corrective Action Plan are available here.

With this settlement, OCR is sending a clear message that every day counts! OCR explains: “Each day [after day 60] on which Presence Health failed to notify each affected individual of the breach indicates a separate violation of the Breach Notification Rule.” In addition, each day on which Presence Health failed to notify the media and OCR are also considered separate violations. OCR wants individuals to receive prompt notice of a breach of their unsecured protected health information “so they can take action that could help mitigate any potential harm caused by the breach.”

We recommend that covered entities adopt policies and take steps to help ensure that data breaches are reported without unreasonable delay and in no case later than 60 days following the discovery of a breach.