OCR announces first HIPAA breach settlement of the year

January 13, 2017
News & Insights

An Illinois healthcare network is the first organization hit with a HIPAA settlement fine for violating the timely breach notification requirement, the Office for Civil Rights (OCR) announced January 9.

Presence Health, an organization including 11 hospitals and 27 long-term care and senior living facilities as well as physician practices, home care services, hospice, and behavioral health services, agreed to a $475,000 monetary settlement and a corrective action plan (CAP).

Over the past year, OCR has used high-profile breach settlements as an opportunity to draw attention to common or especially egregious HIPAA violations. The agency highlighted the importance of organization wide risk analyses, executive support for HIPAA, and mobile device security with fines topping $5 million against a single organization. OCR used the announcement of the Presence Health settlement to spotlight the timely breach notification requirement and drive home how important it is that affected individuals and regulatory agencies are notified of a breach as soon as possible.

Presence Health discovered that paper operating room schedules listing the PHI of 836 individuals were missing on October 22, 2013, but didn’t file a breach notification with OCR until January 31, 2014. Covered entities (CE) have 60 days to notify affected individuals, OCR, and, if the breach affects more than 500 individuals, prominent media outlets. The timely breach notification regulation is designed to help affected individuals mitigate any harm that may be caused by the breach, such as the exposure of financial and identity information. PHI included on the missing surgery schedules included:

  • Dates and types of procedures
  • Dates of birth
  • Medical record numbers
  • Names
  • Surgeons’ names
  • Types of anesthesia used

During the investigation of the 2013 breach, OCR also reviewed 2014 and 2015 breaches at Presence Health entities affecting fewer than 500 individuals. Investigators discovered that Presence Health failed to provide timely notification to affected individuals in these breaches as well.

Presence Health must revise its breach notification policies and procedures and submit them to OCR within 60 days, according to the terms of the CAP. The CAP also requires Presence Health to outline staff responsibilities regarding to breach discovery and reporting and risk analysis.

Related Topics: 
HIPAA