The Office for Civil Rights (OCR) recently announced a settlement for $475,000 resulting from a lack of a timely breach notification.
The OCR press release from January 9 outlines the details on a new settlement with Presence Health in Illinois. The OCR found that Presence Health had not reported a breach affecting 836 patients within the allotted notification time of 60 days. The breach was reported on January 31, 2014; the incident had occurred on October 22, 2013.
Remember: For breaches affecting more than 500 patients, a notification report must be sent to the affected patients, the media, and OCR within 60 days of discovery!
On October 22, 2013, Presence discovered that a document containing operating room schedules was missing. The document included patient names, dates of birth, medical record numbers, dates of procedures, types of procedures, and surgeons’ names.
During the investigation, OCR determined there was no reasonable delay involved. Consequently, Presence had violated the Breach Notification Rule. The press release also states that OCR tried to balance the importance of timely breach notifications without making organizations think twice about reporting.
Finally, OCR Director Jocelyn Samuels states: “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
For more information on other HIPAA requirements, sign up with HIPAAgps today.