On January 9, 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced the first HIPAA enforcement action and settlement based on the late reporting of a breach of unsecured protected health information (PHI). Presence Health, a large Illinois healthcare network, settled potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. The breach involved missing paper-based operating room schedules containing the PHI of 836 individuals. Information included individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR. The notification was provided by Presence Health 101 days after the discovery of the breach – presumably over 40 days late.
OCR commented on the settlement. “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
With the $475,000 settlement amount, OCR indicated it balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether. Presumably, more money could have been sought.
Dentists are covered entities under HIPAA and are required to provide timely notification of PHI breaches. Therefore, dentists should consult and retain an attorney experienced in health law and HIPAA concerning their policy and procedures for responding to the Breach Notification Rule’s timeliness requirements. Once a breach is discovered, this attorney should be immediately consulted for guidance in satisfying the HIPAA Breach Notification Rule. Breaches occur for many reasons, including but not limited to, theft, embezzlement, lost records, sabotage, and computer hacking. Breaches may involve paper and other physical PHI, as well as electronic PHI.