First Ever HIPAA Enforcement Action for Delay in Breach ReportingA delay in timely breach notification may now cost you. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently entered a settlement with Presence Health for untimely reporting a breach of unsecured protected health information (PHI). Presence discovered that its operating room schedules containing PHI for 836 individuals were missing on October 22, 2013. Under the HIPAA Breach Notification Rule, breaches like this which involve >500 individuals are required to be reported to the individuals, prominent media outlets and OCR without unreasonable delay and in no case later than 60 days. Presence did not report the breach to OCR until January 31, 2014, approximately 100 days after discovering the breach. OCR’s investigation concluded that Presence failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals, the media and OCR. Presence agreed to pay $475,000 to settle the potential violations.
The Press Release and Resolution Agreement are available on the OCR website.