OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading

New HIPAA Exception Allows Covered Entities to Report Behavioral Health Considerations Applicable to Possessing a Firearm

gun rangeAs of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”).  The Department of Health & Human Services (“HHS”) amended the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to allow such reporting by health care providers who are a “covered entity” under HIPAA and who are: state agencies; designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a “mental health prohibitor”; or serve as repositories of information for NICS reporting purposes.  The Final Rule that makes this amendment to HIPAA was published in the Federal Register on January 6, 2016: click here.

Before this amendment, health care providers who are “covered entities” under HIPAA could report information to the NICS only if:

(1) the health care provider had designated itself as a “hybrid entity” where the Privacy Rule would apply only to the entity’s functions that are subject to Continue reading