Breach of Privacy Prompts Breach of Etiquette: DHHS Sets New Precedent in Privacy Breach Enforcement

Michael Adelberg, Jason Schnabel
Faegre Drinker Biddle & Reath LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Faegre Baker Daniels

On January 9, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) took action against a health system for non-timely reporting of a breach of protected health information. It was the first time the OCR opted to take an enforcement action in response to this type of infraction—perhaps suggesting a desire to set new precedent in the final days of the Obama administration.

The incident originated in late 2013, when Presence Health—an Illinois health system—learned that it lost several hundred operating room schedules and then failed to notify OCR within 60 days, as required. The OCR, which enforces privacy violations related to the Health Insurance Portability and Accountability Act (HIPAA), took action against Presence Health for non-timely reporting of a breach of protected health information (PHI). In a settlement with OCR, the health system agreed to pay $475,000 and implement an eight-point corrective action plan. In its announcement of the settlement, OCR noted that this is the first time it has taken action against an entity for non-timely reporting of a PHI breach.

The two-year corrective action plan includes requirements for Presence Health to draft and distribute new policies and procedures that comply with the requirements of the breach notification rule, with such policies to be approved by HHS and reviewed annually by Presence Health. Additionally, Presence Health is required to draft, and submit for HHS approval, training materials that would implement the newly-drafted policies and procedures, with such training to be given to applicable Presence Health employees annually during the term of the corrective action plan.

According to the resolution agreement, Presence Health lost documents that contained protected health information and then failed to report the breach within the required timeframe. OCR, as the enforcer of HIPAA breaches, has authority to levy fines and other punishments for such breaches. Nonetheless, it might be considered a breach of etiquette for the OCR to take a novel enforcement action in the final days of an administration when they have declined to act on the same or similar violations for years. Senior administration regulators are setting an important precedent on their way out the door.

Large data breaches, both in the health sphere and more generally, have become increasingly common in the last five years (OCR publishes a list of data breaches that affect more than 500 individuals). Due to the increased publicity and scope of data breaches, the precedent-setting action by OCR can be seen as part of a broader response to data privacy and security issues, and a resulting desire to encourage transparency on the part of dataholders.

All of this suggests that after years of polite non-enforcement, a breach of etiquette in the final days of an administration could change breach enforcement for years to come.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP
Faegre Drinker Biddle & Reath LLP
Contact
more
less

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide