On January 9, 2017, the Office for Civil Rights (OCR) announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement for violations related to untimely breach reporting. The Covered Entity, a large health care network that includes over 100 locations and eleven hospitals, became aware of a potential breach in October 2013. The entity discovered that a number of its paper-based operating room schedules were missing, and included the Protected Health Information (PHI) of 836 individuals. These operating room schedules included patient names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia used. The Covered Entity began to conduct an internal investigation of the breach, however, reporting was neither initiated nor completed until February of 2014.
OCR identified three separate violations within the Covered Entity’s failure to report the breach. This conduct included the failure to timely report to (1) patients, (2) media outlets, and (3) HHS, all of which are required without reasonable delay and in no case longer than 60 days from discovery of a breach affecting more than 500 individuals. As a result, the Covered Entity has agreed to pay a $475,000 settlement related to these violations. Furthermore, the Covered Entity will be required to implement a corrective action plan that includes revision of its current policies and procedures related to complying with the requirements of the breach notification rule.
This settlement marks the first time OCR has imposed a penalty on an entity for failure to meet the timely notification requirements of breach reporting and signifies the importance of exhaustive HIPAA compliance. OCR’s vigorous and strict enforcement of HIPAA has been on an exponential trajectory and this settlement, the first of 2017, indicates that this trend is likely to continue. Last year, HIPAA fines amounted to almost triple that of the previous year. Covered entities and business associates must be aware of these enforcement actions and proactively ensure their own compliance with all HIPAA regulations to avoid likely fines and penalties. Contact Frier Levitt for assistance in developing a tailored and comprehensive compliance plan for your business to prevent and mitigate the penalties for violations of HIPAA.
