Presence Health hit with HIPAA fine for slow breach response
Presence Health has agreed to pay $475,000 and implement a corrective action plan for failures to comply with the HIPAA breach notification rule.
The sanctions imposed on the organization by the HHS Office for Civil Rights are the first enforcement action focused on lack of timely breach notification, according to OCR.
“Covered entities need to have clear policies and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” says OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
Presence operates 11 hospitals across Illinois, as well as physician practices and long-term care facilities.
OCR became aware of poor consumer breach notification provisions at Presence in late January 2014 after one of its hospitals, Presence St. Joseph Medical Center, notified the agency of a breach of paper records in October 2013. In its report, the hospital said that, because of miscommunication between workforce members, “there was a delay in its provision of breach notifications,” according to OCR.
In investigating the October 2013 breach, OCR found three violations of the requirement to notify affected individuals and the media within 60 days of discovery. Presence didn’t notify affected individuals of the breach until 104 days after discovery, did not notify media until 106 days after discovery and did not notify HHS and OCR until 101 days after discovery. OCR also learned that Presence did not issue notifications following smaller breaches in 2015 and 2016.
Presence Health issued the following statement to Health Data Management:
“Because patient privacy is a top priority at Presence Health, we are working diligently with the OCR on all steps required under the corrective action plan, including additional associate training in HIPAA policies and procedures. This is the culmination of a several-year process working with the OCR to resolve a matter we voluntarily reported to the OCR in 2014 related to an isolated incident involving paper records at a surgery center located in Joliet, Illinois. This incident did not involve any electronic records and did not involve any disclosure of patient contact or financial information. We are confident that reports on our progress to quickly implement revised policies and procedures will be positive.”