WASHINGTON – Chicago-based Presence Health has become the first health care organization penalized for not reporting a HIPAA privacy breach within a 60-day window, as federal regulators slapped the operator of 11 Illinois hospitals with a $475,000 fine.
And it could signal greater enforcement actions to come, said an attorney who works with other health care organizations.
The U.S. Department
of Health and Human
Services' Office for Civil Rights (OCR) announced the penalty as the first settlement of its kind under the federal
Health Insurance Portability and Accountability Act.
The settlement came after regulators reportedly discovered Presence had untimely reported a breach of unsecured protected health information
(PHI). Regulators determined Presence Health, one of the largest healthcare networks serving
Illinois, with hospitals in Chicago, the suburbs and downstate, had violated the HIPAA Breach Notification Rule. Presence then agreed to pay
$475,000 and implement a corrective action plan in the settlement.
“Presence failed to timely notify the Secretary of the
Department of Health and Human Services, the individuals affected by the breach in the security of their
PHI, and the local media market where the individuals reside. Presence was to do so within 60 days of its
discovery of the breach,” said Avery Delott, an attorney and partner at Roetzel & Andress in Chicago.
This was the first time the OCR penalized an entity
for failing to report a breach within the HIPAA time frame.
According to the agreement, “On January 31, 2014, HHS
received notification from Presence St. Joseph Medical Center, a Presence
Health hospital, regarding a breach of unsecured PHI. Specifically, the hospital reported that, on Oct. 22,
2013, it discovered that paper-based operating room schedules, which contained
the PHI of 836 individuals, were missing from the Presence Surgery Center at
Presence St. Joseph Medical Center. In its report, Presence St. Joseph Medical
Center noted that, due to miscommunications between its workforce members,
there was a delay in its provision of breach notifications. During the course
of investigating the October 2013 breach, HHS also reviewed Presence Health's
reports of breaches affecting fewer than 500 individuals, which Presence Health
entities submitted in 2015 and 2016, and HHS learned that, with regard to
several of those reported breaches, the Presence Health entities had failed to
provide timely written breach notifications to the individuals whose PHI had
been compromised as a result of those breaches.”
This case highlights what can happen when noncompliance
of HIPAA requirements occurs, Delott said.
The $475,000 penalty was large enough to catch the attention of health operations subject to HIPAA, Delott said.
some ways Presence’s failure was technical," she said. "A small, somewhat technical violation had reasonably significant
consequences. We were also motivated to
alert our clients to the increased enforcement activity in this area that we
believe is foreshadowed by this decision.”
In the agreement, Presence Health agreed to revise its
existing policies and procedures related to complying with the requirements of
the Breach Notification Rule, complete risk assessments of potential breaches
and ensure that all required breach notifications are submitted to the
affected individuals, the media and HHS.
Presence Health must also forward the revised policies
and procedures to HHS for the agency's review and approval within 60 days.
In light of the regulatory action against Presence, Delott said now would be a good time for other health care organizations to take stock of their policies and procedures, and make improvements, as needed.
“It’s time to review HIPAA policies, retrain staff and
review the oversight procedures in this area," she said.