Failure to Notify Individuals and Media About HIPAA Breach Within 60 Days Proves Costly

Author: Michael Cardman, XpertHR Legal Editor

January 19, 2017

An Illinois-based health care employer has agreed to pay the federal government $475,000 to settle claims that it failed to provide notification about a breach of protected health information (PHI) within 60 days of discovering the breach, as the Health Insurance Portability and Accountability Act (HIPAA) requires.

In October 2013, Presence Health discovered that operating room schedules containing the PHI of 836 individuals were missing from one of its hospitals. However, Presence Health did not notify the affected individuals or the media until more than 100 days later in February 2014.

The HIPAA Breach Notification Rule requires most employers and their business associates to provide affected individuals "without unreasonable delay" and no later than 60 days following the discovery of a breach a notification including to the extent possible:

  • A brief description of the breach;
  • A description of the types of information that were involved in the breach;
  • The steps affected individuals should take to protect themselves from potential harm;
  • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and
  • Contact information for the employer and/or business associate.

If a breach affects more than 500 people, employers also are required to notify prominent media outlets and the US Department of Health and Human Services Office for Civil Rights (OCR) within 60 days of discovery.

The OCR said the Presence Health settlement was the first HIPAA settlement based on the untimely reporting of a breach of unsecured PHI.

"With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether," the agency said in a statement.

Presence Health admitted no wrongdoing in the settlement and also agreed to a corrective action plan intended to prevent future breaches.