WASHINGTON – Chicago-based Presence Health has become the first health care organization penalized for not reporting a HIPAA privacy breach within a 60-day window, as federal regulators slapped the operator of 11 Illinois hospitals with a $475,000 fine.
And it could signal greater enforcement actions to come, said an attorney who works with other health care organizations.
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced the penalty as the first settlement of its kind under the federal Health Insurance Portability and Accountability Act.
The settlement came after regulators reportedly discovered Presence had untimely reported a breach of unsecured protected health information (PHI). Regulators determined Presence Health, one of the largest healthcare networks serving Illinois, with hospitals in Chicago, the suburbs and downstate, had violated the HIPAA Breach Notification Rule. Presence then agreed to pay $475,000 and implement a corrective action plan in the settlement.
“Presence failed to timely notify the Secretary of the Department of Health and Human Services, the individuals affected by the breach in the security of their PHI, and the local media market where the individuals reside. Presence was to do so within 60 days of its discovery of the breach,” said Avery Delott, an attorney and partner at Roetzel & Andress in Chicago.
This was the first time the OCR penalized an entity for failing to report a breach within the HIPAA time frame.
According to the agreement, “On January 31, 2014, HHS received notification from Presence St. Joseph Medical Center, a Presence Health hospital, regarding a breach of unsecured PHI. Specifically, the hospital reported that, on Oct. 22, 2013, it discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at Presence St. Joseph Medical Center. In its report, Presence St. Joseph Medical Center noted that, due to miscommunications between its workforce members, there was a delay in its provision of breach notifications. During the course of investigating the October 2013 breach, HHS also reviewed Presence Health's reports of breaches affecting fewer than 500 individuals, which Presence Health entities submitted in 2015 and 2016, and HHS learned that, with regard to several of those reported breaches, the Presence Health entities had failed to provide timely written breach notifications to the individuals whose PHI had been compromised as a result of those breaches.”
This case highlights what can happen when noncompliance of HIPAA requirements occurs, Delott said.
The $475,000 penalty was large enough to catch the attention of health operations subject to HIPAA, Delott said.
“In some ways Presence’s failure was technical," she said. "A small, somewhat technical violation had reasonably significant consequences. We were also motivated to alert our clients to the increased enforcement activity in this area that we believe is foreshadowed by this decision.”
In the agreement, Presence Health agreed to revise its existing policies and procedures related to complying with the requirements of the Breach Notification Rule, complete risk assessments of potential breaches and ensure that all required breach notifications are submitted to the affected individuals, the media and HHS.
Presence Health must also forward the revised policies and procedures to HHS for the agency's review and approval within 60 days.
In light of the regulatory action against Presence, Delott said now would be a good time for other health care organizations to take stock of their policies and procedures, and make improvements, as needed.
“It’s time to review HIPAA policies, retrain staff and review the oversight procedures in this area," she said.