Skip to content Skip to navigation

Illinois Healthcare Network to Pay $475,000 for Lack of Timely Breach Notification

January 10, 2017
by Heather Landi
| Reprints

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced this week the first Health Insurance Portability and Accountability Act (HIPAA) enforcement action based on the untimely reporting of a breach of unsecured protected health information (PHI).

Chicago-based Presence Health Network, a healthcare system in Illinois consisting of more than 150 locations, has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan, according to a HHS OCR press release. Presence Health’s system includes 11 hospitals and 27 long-term care and senior living facilities. Presence also has multiple physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services.

HSS OCR officials stated in the press release, “With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”

According to HHS, on January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. 

“OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” the agency stated.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” OCR Director Jocelyn Samuels said in a prepared statement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

According to HHS, covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

More information about OCR’s guidance on breach notification can be found here.

 

 

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

New York Presbyterian Brooklyn Methodist Revalidated as EMRAM Stage 7

Due to its use of RFID technology to improve patient care and outcomes, New York Presbyterian Brooklyn Methodist Hospital (NYPBMH) has received acute care Stage 7 revalidation on the HIMSS Analytics Electronic Medical Record Adoption Model (EMRAM).

Dana Alexander Named 2016 HIMSS Nursing Informatics Leadership Award Winner

Dana Alexander, R.N., has been named the recipient of the 2016 HIMSS-ANI Nursing Informatics Leadership Award, a joint award sponsored by Alliance for Nursing Informatics (ANI) and HIMSS.

Agency Leadership Update: Collins Stays at NIH, Bindman Leaves AHRQ

As President-elect Donald Trump is sworn in as the United States’ 45th president at noon today, there has been an ongoing administration shuffle as agency leaders have stepped down as part of the presidential transition.

Reports: Indiana Cancer Services Agency Hacked, Won’t Pay Ransom

Earlier this month, Cancer Services of East Central Indiana- Little Red Door’s terminal server and backup drive were hacked by cybercriminal TheDarkOverlord, leading to a ransom demand that the cancer services facility will not pay, according to media reports.

Insurer to Pay $2.2M HIPAA Settlement for Disclosure of Unsecured ePHI

MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by paying $2.2 million.

Avoidable Hospitalizations among LTC Residents Drops by 31 Percent

A data brief from the Centers for Medicare & Medicaid Services (CMS) has revealed that avoidable hospitalizations among long-term care facility residents has dropped by about 31 percent since 2010.