The U.S. Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) last week announced the first HIPAA settlement in lieu of a civil money penalty for failure to timely report a breach of unsecured protected health information (“PHI”). Presence Health Surgery Center of Presence St. Joseph Medical Center in Joliet, Illinois, agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan (“CAP”). Presence Health is one of the largest health care networks in Illinois.
On January 31, 2014, OCR received a breach notification report from Presence reporting that, on October 22, 2013, Presence learned that paper operating room schedules, containing the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The schedules data consisted of the patients’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. OCR’s investigation revealed that Presence Health had failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.
This enforcement action indicates not only that DHHS will enforce the breach notification rule (coupled with its being an item of high interest in DHHS audits) but also that covered entities must have report and response procedures that ensure that the need for breach notification is assessed and, if necessary, complied with.
If you have no idea how to draft HIPAA security incident report and response policies and procedures, we have some help for you. First, you can find all the help that you need in my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, 2nd edition, in my book The Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, and accompanying CD of samples, and in my book The Complete HIPAA Policies and Procedures Guide, with accompanying CD of samples. Our HIPAA compliance tools are available on our website, and the 10% discount is still in effect through the end of this month (just use the discount code HIPAA2017 at checkout), as mentioned in the blog item posted on December 29, 2016. Second, you could also register for a webinar on the topic “How to Write HIPAA Policies and Procedures,” which our own Alice McCart will be presenting live on Thursday, January 19, 2017, at 1:30 p.m. Central time, through Online Compliance Panel. Third, if you are facing a looming breach notification deadline and cannot wait for books and CDs to arrive, email firstname.lastname@example.org, and Alice will email you a sample from one of my books.
Caution: do not blithely report anything or submit a breach notification without first running it past an attorney knowledgeable in HIPAA law and how to deal with DHHS. Alice here: In my opinion, the best attorney in that regard would be Jon Tomes.