Foot-Dragging on HIPAA Breach Notice Costs Illinois Health System

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

An Illinois health system has reached a $475,000 settlement over allegations it waited too long to report a data breach, the first time the government has settled over untimely breach notifications.

Presence Health uncovered a data breach on Oct. 22, 2013 affecting 836 individuals, but didn’t report the breach to affected individuals until Feb. 3, 2014, the HHS Office for Civil Rights said Jan. 9. In addition to the $475,000 payment, Presence agreed to enter into a two-year corrective action plan.

The settlement is a clear example of the OCR sending a message to the provider community that it’s seriously enforcing breach notifications, Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg BNA.

Under the Health Insurance Portability and Accountability Act’s Breach Notification Rule, organizations have an obligation to notify affected individuals, media outlets and the Department of Health and Human Services within 60 days of the discovery of a breach.

Zick said it didn’t appear that Presence Health deliberately violated the rule, noting the health system said the delay was due to an internal “miscommunication.” Nevertheless, the settlement reinforces that the 60-day notice period is real and meaningful to the OCR, Zick said.

Presence didn’t admit to any liability in the settlement, but the OCR said that didn’t mean Presence wasn’t in violation of the HIPAA rules.

Notifying Individuals

Failing to notify the OCR of a data breach in a timely fashion may not be among the most serious of HIPAA violations, but failing to notify affected individuals within 60 days can be a major problem, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg BNA.

The Presence breach doesn’t appear have involved Social Security numbers, and likely won’t run the risk of identity theft, but delays in notifying individuals can prevent them from taking immediate actions to protect themselves, such as changing passwords or enrolling in credit monitoring services, Fader said.

Fader said he didn’t think there would be more settlements involving a lack of timely breach notification, as the rule isn’t complicated and the OCR may feel that it has made its point.

If there are further settlements, they might center on failure to notify the OCR of smaller breaches (affecting fewer than 500 people), Fader said.

Beyond the specifics of the settlement, Fader said, it was interesting that it involved a breach of paper records.

The OCR lately has focused exclusively on breaches involving electronic protected health information, and Fader said the last settlement involving paper records was the November 2015 Triple-S settlement, which focused on the disclosure of protected health information on pamphlets that were mailed to beneficiaries of a Medicare Advantage plan.

To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bna.com

For More Information

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law