A Costly Lesson in Untimely Reporting of a HIPAA Breach

Previous
Webinar Q&A: Business Associate Agreements
Next
Using Software to Stay Ahead of the Compliance Curve

Presence St. Joseph Medical Center, a hospital of Presence Health Network, a large healthcare system serving Illinois, waited more than three months before it notified the Department of Health and Human Services (HHS) of a breach involving 836 individuals.  The untimely reporting cost the healthcare system $475,000 to settle with the HHS, including strict compliance with a 2-year corrective action plan that impacts all 150 locations of Presence Health Network. This costly lesson should serve as a reminder to all healthcare providers of the liability at stake if compliance measures are taken lightly.  

On January 31, 2014, Presence notified the HHS that it discovered a breach on October 22, 2013. Specifically, Presence uncovered that paper-based operating room schedules were missing from its facility, which contained PHI of 836 individuals in the form of individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia administered.

Under the HIPAA Breach Notification Rule, because the breach affected more than 500 individuals, Presence was required to notify the affected individuals, HHS, and major media outlets within 60 days of the breach. But it took Presence 101 days to report the breach to the government, citing miscommunication issues between staff for the delay.

HHS investigated the breach and found that Presence had not only untimely reported the breach to HHS, but also to those affected individuals and to media outlets; the affected 836 individuals were only notified on February 3, 2014 (104 days) and media outlets were only notified on February 5, 2014 (106 days). But the compliance issues did not end here.

HHS uncovered a pattern of delays during its investigation. HHS reviewed other breach events that occurred at Presence in 2015 and 2016. Since these breaches affected less than 500 individuals, the HIPAA Breach Notification Rule required notification to affected individuals within 60 days and notification to HHS within 60 days of the end of the calendar year. Yet again HHS learned that Presence failed to follow timely reporting requirements for these smaller breach events.

Presence’s compliance mistakes came with a hefty price tag. It also impacted its parent healthcare system via the corrective action plan that requires Presence Health Network to take immediate action in a number of areas to resolve weaknesses in its compliance program. Don’t put your organization on HHS’ radar— take time to review the effectiveness of your compliance policy, verify that your workforce is properly trained so they can take proper action, and make sure compliance policies are enforced. Otherwise, a government investigation may be in your future.

All breaches discovered in 2016 that affected fewer than 500 individuals were required to be reported by March 1, 2017. A breach report can be filed through the HHS Breach Portal here.

Related Posts