The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first settlement for violating the HIPAA Breach Notification Rule with Presence Health for $475,000. This settlement is the first in the history of HIPAA enforcement to be levied for failure to properly notify patients of a breach of unsecured protected health information (PHI).
The breach first occurred in October 2013. Under the HIPAA Breach Notification Rule, HIPAA breaches affecting more than 500 individuals must be reported within 60 days of the discovery of the breach.
The documents involved in the breach contained names, dates of birth, medical record numbers, dates and types of procedures, and more.
In response to the settlement for violation of the HIPAA Breach Notification Rule, Jocelyn Samuels, Director of OCR stated that “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
Wider Trends in the Enforcement of HIPAA for 2017
Presence Health is one of the largest healthcare networks in Illinois. OCR reported that “Presence has multiple physicians’ offices and healthcare centers in its system and offers home care, hospice care, and behavioral health services.”
Historically, medical specialties like behavioral health services have been largely spared from large scale OCR enforcement. Minor breaches and fines have always been common, but widely publicized settlements like these have only recently started to target more niche parts of the healthcare industry.
In 2016, collected fines totaled $23,504,800, compared to nearly $15 million in 2015. If the enforcement of HIPAA trend continues, 2017 could be the most expensive year in fines to date. Additionally, organizations including research institutes, behavioral health specialists, and business associates have all been targeted for unprecedented large scale settlements.
Both the scope and the severity of the enforcement of HIPAA have become more aggressive in recent years. OCR’s first fine of 2017 is the first time it has ever reached a settlement for HIPAA breach notification. This is a strong indication that the federal government is going to continue its uncharacteristic enforcement efforts. How confident are you in your HIPAA compliance?