Presence Health agrees to pay HIPAA fine for slow breach response

Presence Health has accepted to pay $475,000 for slow breach response and execute a corrective action plan for failures to comply with the HIPAA breach notification rule.

The sanctions applied on the agency by the HHS Office for Civil Rights are the 1st enforcement action focused on the deficiency of timely breach notification or slow breach response, in accordance to OCR.

“Covered entities require having clear policies and processes in place to respond to the Breach Notification Rule’s timeliness requirements,” claims OCR Director Jocelyn Samuels. “Individuals require prompt notice of a breach of their unsecured PHI so they can take action that could assist to reduce any potential harm caused by the breach.”

Presence operates eleven hospitals across the Illinois, as well as physician practices and long-term care facilities.

OCR became aware of worse consumer breach notification provisions or slow breach response at Presence in the year of late January 2014 after one of its hospitals, Presence St. Joseph Medical Center, notified the agency of a breach of paper records in the month of October 2013. In its report, the hospital claimed that, due to the miscommunication between workforce members, “there was a delay in its provision of breach notifications,” in accordance to OCR.

In inquiring the October 2013 breach, OCR discovered 3 violations of the requirement to notify affected individuals and the media within sixty days of discovery. Presence did not notify affected individuals of the breach until 104 days after discovery, didn’t notify media until 106 days after discovery and didn’t notify HHS and OCR until 101 days after discovery. OCR also came to know that Presence didn’t release notifications following smaller breaches in the year of 2015 and 2016.

Presence Health released the following statement:

“Because patient privacy is a top priority at Presence Health, we’re working diligently with the OCR on all measures needed under the corrective action plan, involving extra associate training in HIPAA policies and processed. This is the culmination of a several-year procedure working with the OCR to resolve a matter we voluntarily reported to the OCR in the year of 2014 related to an isolated tragedy including paper records at a surgery center situated in Joliet, Illinois. This tragedy didn’t include any electronic records and didn’t involve any disclosure of patient contact or financial data. We’re confident that reports on our progress to rapidly execute revised policies and processes will be positive.”