Healthcare Network Settles With OCR for Breach of Notification Requirements
The HIPAA settlement is the first to enforce the notification rule.
The largest healthcare network serving Illinois settled a potential HIPAA violation for $475,000 with the Office for Civil Rights Monday.
The settlement followed Presence Health’s potential violation of the HIPAA Breach Notification Rule, which requires healthcare entities to notify the OCR of potential breaches within 60 days of discovery.
It is the first time the OCR has enforced the notification rule and shows institutions the importance of reporting breaches to the Department of Health.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The potential breach was discovered on Oct. 13, 2013, when pieces of paper containing operating room schedules went missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.
The papers contained patient names, dates of birth, medical record numbers, dates and types of procedures, surgeon names and types of anesthesia.
Presence notified the OCR of the breach on Jan. 31, 2014.
Per the notification rule, breaches affecting more than 500 people must be reported within 60 days of discovery. The Presence breach affected 836 people.
Read the full Resolution Agreement and Corrective Action Plan here.