According to the Office of Civil Rights (OCR) in the Department of Health and Human Services, January 2017 continued high numbers of data breaches. While not as high as the average monthly breaches in 2016, which was 37.5, it was close with January 2017 showing 31 breaches. 25 of the 31 breaches were reported by individual provider offices. Four were reported by health plans and two involved business associates. 58.4% of these breaches were the result of inside incidents.
The largest was reported in January of 2017 actually occurred in October of 2015 and was discovered by the covered entity in December of 2014. However, the Department of Health and Human Services Office for Civil Rights, the organization responsible for enforcement of HIPAA, was not notified until January of 2017—way beyond the 60-day deadline for reporting breaches. This could spell costly trouble for this covered entity as the first HIPAA settlement for 2017 is also the first settlement based on an unnecessary delay of breach notification after exposure of PHI (Protected Health Information). =
Presence Health, a large healthcare network in Illinois, agreed to pay $475,000 to settle the HIPAA Breach Notification Rule violations. In the case of Presence, the violations related to delays in notifying affected patients and also notifying HHS.
The current HIPAA Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovery of the breach. Also, if it affects more than 500 people, a report must be submitted to the Office of Civil Rights within 60 days. The covered entity must also issue a breach notice to relevant media outlets and place in a prominent place on the company website.
OCR indicated that covered entities MUST have clear policies and procedures to respond timely to the Breach Notification Rule. Individuals needs to be notified in a timely manner so that they can take action to mitigate any harm the breach might cause. Jocelyn Samuels, OCR Director, indicated that the settlement should serve as a warning to HIPAA-covered entities that unnecessary breach notification delays will have serious financial repercussions. 60 days is the MAXIMUM time frame for announcing and reporting breaches, not a recommendation.
It’s interesting to note that in January 2017, over 40% of reported breaches were reported after the 60 day deadline for the HIPAA Breach Notification Rule.
Can’t wait to see the repercussions for this latest incidences of delayed reporting!
To see all the statistics related to HIPAA breaches, go here.