Time Waits for No One: OCR Announces First HIPAA Settlement for Lack of Timely Breach Notification

Davis Wright Tremaine LLP

On Jan. 9, 2017, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced the first HIPAA enforcement action for failure to timely report a breach. Often investigating and making formal determinations concerning a potential breach can be very time consuming, even when responding promptly and appropriately to the event. The settlement highlights the importance of covered entities and business associates meeting the Breach Notification Rule timing requirements and otherwise having processes in place to respond to potential breaches in a timely manner.

The Breach Notification Rule requires notification of affected individuals and (in some cases) the media without unreasonable delay and in no case later than 60 days after discovery of the breach. OCR must also be notified but the timing depends on the size of the breach. OCR alleges that it took Presence Health 101 calendar days to notify OCR and 104 calendar days to notify affected individuals and media, when the notification should have been made no later than 60 days after discovering the breach.

Presence Health agreed to pay a settlement amount of $475,000. It is noteworthy that Presence Health is a relatively large health system, but the settlement is well below the average of recent settlements (the average 2016 resolution agreement was approximately $2 million). Presence Health also agreed to enter into a two-year corrective action plan, which requires new policies and procedures and training, but does not include internal or external monitoring like some prior settlements. The settlement comes approximately three years after the breach report, which is in line with the timing of past resolution agreements.

Prior to OCR’s settlement with Presence Health, the closest enforcement action based on the Breach Notification Rule was with Adult & Pediatric Dermatology, P.C., in which OCR highlighted the covered entity’s failure to have written policies and procedures and train members of its workforce regarding the Breach Notification Rule requirements.

OCR’s settlements highlight the need for covered entities and business associates to have written breach notification policies and procedures, to train workforce on recognizing and immediately reporting potential breaches to the designated internal person, such as the privacy or security officer, and to educate workforce members on the importance of adhering to the required timeframes.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.