On January 9, 2017, the Department of Health and Human Services Office of Civil Rights (HHS OCR), which enforces the privacy requirements contained in Health Insurance Portability and Accountability Act (HIPAA), announced a first-of-its-kind penalty against a covered entity that failed to provide breach notification in a timely manner. This enforcement action should inform life sciences companies as to how they must address breaches affecting protected health information. Presence Health—an Illinois not-for-profit healthcare network with roughly 150 locations including hospitals, long-term care, and senior living facilities—agreed to pay $475,000 and implement policy changes to settle HHS OCR allegations that the company failed to provide timely notice to affected individuals, HHS OCR, and the media.
The HIPAA breach notification rule, with limited exceptions, requires covered entities to provide notice of a breach to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” If the breach involves 500 or more individuals, notice also must be provided to HHS OCR at the same time. If 500 or more individuals affected by the breach are concentrated in a single geographic area, notice of the breach also must be provided to media outlets.
According to the settlement agreement, Presence Health took 104 days—rather than “not more than 60 days”—to notify 836 affected individuals; 101 days to notify HHS OCR; and 106 days to notify the media of a breach (discovered in October 2013) involving paper-based operating room schedules. The delayed notification apparently resulted from “miscommunications” between members of the company’s workforce.
HHS OCR counted each day notice was delayed as an additional violation of the breach notification rule. In its press release announcing the settlement, HHS OCR stated that in setting the $475,000 penalty, it “had balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”
In the course of its investigation, HHS OCR also found that the company failed to provide timely notice in the case of an unspecified number of breaches involving fewer than 500 individuals, although those other breaches do not appear to have been a basis for HHS OCR’s penalty calculations in the immediate case. There was no allegation by HHS OCR that consumers were affirmatively harmed by the failure of Presence Health to provide notice within the mandated 60 day timeframe.