HRCAlerts011817_Late

The first Health Insurance Portability and Accountability Act (HIPAA) settlement for lack of timely notification about a breach of unsecured protected health information (PHI) was announced on January 9, 2017, by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR). A large Illinois healthcare network noticed on October 22, 2013, that paper-based operating department schedules containing the PHI of 836 individuals were missing from one of its surgical centers. The network informed OCR of the breach on January 31, 2014. The PHI contained individuals' names, birth dates, medical record numbers, dates and types of procedures, surgeons' names, and types of anesthesia used. OCR's investigation revealed the health system had failed to notify without unreasonable delay each of the affected individuals, the media (which must be notified of breaches involving 500 or more individuals), and OCR. The health system has agreed to pay $475,000 and implement a corrective action plan for failure to promptly report the breach. OCR said the fine balanced the need to emphasize prompt reporting with the desire to not discourage breach reporting altogether. "Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach," said OCR director Jocelyn Samuels in a press release. OCR's guidance on breach notification is available at its website.

HRC Recommends: Risk managers should be aware that every covered entity and business associate is eligible for a HIPAA security and privacy rule audit. OCR's phase 2 HIPAA audit program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the HIPAA privacy, security, and breach notification rules. OCR conducts the analyses using a comprehensive audit protocol updated to reflect the requirements of the 2013 HIPAA omnibus final rule. The updated HIPAA audit protocols are available on OCR's HIPAA privacy rule website. OCR also provides information about the audit process in a list of questions and answers as well as guidance documents.

Topics and Metadata

Topics

Laws, Regulations, Standards; Health Information Privacy

Caresetting

Clinical Specialty

Roles

Healthcare Executive; Legal Affairs; Risk Manager

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published January 18, 2017

Who Should Read This

Corporate compliance, HIPAA privacy officer, HIPAA security officer, Information technology, Legal counsel Risk manager

Areas of Focus

Featured Memberships & Services

A $475,000 Late Fee: OCR Settles First Case for Lack of Timely Breach Reporting