Illinois’ Presence Health Network found out in a big way in a December 29, 2016 settlement with the HIPAA enforcement unit of Office of Civil Rights for the sun of $475,000. While the settlement does not admit wrong-doing, the settlement agreement released by OCR states the grounds are allegations of a delay in breach notifications to affected patients, media, and OCR.
OCR indicates that the first alleged violation involved a October 22, 2013 incident in which paper-based operating room schedules containing PHI of 836 went missing from the Surgery Center at Presence St. Joseph Medical Center. The incident was not reported to OCR until January 31, 2014 (101 days) due to “miscommunications between its workforce members.” In this incident, OCR recites that notice was not given to affected individuals until February 3, 2014 (104 days) while the Breach Notification Rule requires notification no later than 60 calendar days after discovery. Required notification to media was reportedly not made until February 5, 2014 (106 days). Media notification is required to be made in breaches involving more than 500 individuals “without unreasonable delay” and no later than 60 calendar days of breach discovery. Each day of delay for notification under the rules constitutes a separate violation for each requirement.
OCR reported that during the investigation of the original incident, it reviewed breach reports for the system reported in 2015 and 2016 annual reporting for breaches of fewer than 500 individuals. While apparently reported to OCR in a timely manner in their annual reports, OCR discovered several incidents did not result in timely notification to individuals whose PHI was compromised.
In addition to the fine, Presence entered into a Corrective Action Plan that includes revisions within 60 days, and OCR approval, to policies and procedures that clearly delineates individual roles and responsibilities for:
- Receiving and addressing information of potential breaches from internal sources
- Receiving and addressing information of potential breaches from individuals and business associates
- Completing risk assessments of potential breaches
- Preparing notifications to individuals, media, and OCR
- Ensuring notifications are made without unreasonable delay and within the timeframes prescribed by the Breach Notification Rule
In addition, Presence is to establish sanctions (disciplinary rules and penalties) against workforce members who fail to comply with policies and procedures implementing the Breach Notification Rule. New employees are to be trained on the policies and procedures within 30 days of commencing service. All employees are to be trained within 60 days of OCR approving training materials. Annual retraining is also required. Compliance reporting is also required by the agreement.