As discussed in prior client alerts, the Office of Civil Rights (OCR), the agency charged with HIPAA enforcement, has increased HIPAA compliance initiatives in recent months and is poised to continue its enforcement activities throughout 2017. If recent enforcement actions are a guide, the OCR is also prepared to issue fines for technical HIPAA violations to which it has not previously subjected health care providers.
In January 2017, the OCR issued a penalty in the amount of $475,000 to Presence Health, which is one of the largest health care systems in Illinois. This enforcement action was unique, as it was the first time the OCR penalized an organization for failing to report a breach within the HIPAA-prescribed time frames. Under HIPAA, an organization must disclose a breach to persons whose protected health information (PHI) has been improperly used or disclosed within 60 days of discovering the breach. Further, where the breach involves the protected health information of more than 500 individuals, the organization has 60 days from its discovery of the breach to also notify: (i) the Secretary for the Department of Health and Human Services (the Secretary); and (ii) the local media market in the state or jurisdiction where the individuals whose protected health information was disclosed reside. Breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis within 60 days of the end of the relevant calendar year.
Presence made a report to the OCR on January 31, 2014, disclosing a HIPAA breach. The report stated that on October 22, 2013, Presence discovered that paper documents containing the PHI of 836 patients were missing from a Presence-owned surgical facility. The information contained in missing documents could be used readily to identify the individuals who received services at Presence and the types of services received, including names, dates of birth, medical record numbers, dates of procedures, surgery type, and physician’s name. Upon completing its investigation three years later, the OCR determined that Presence failed to notify the Secretary, the individuals affected by the breach and the local media market within the 60-day required time period.
In addition to the $475,000 fine, Presence also was required to enter into a Corporate Integrity Agreement for two years, which will subject it to increased government oversight and scrutiny. In imposing these penalties, the OCR Director noted that “[c]overed entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” Further, “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
This action by the OCR illustrates how important implementation and management is when complying with HIPAA. Many organizations incorrectly believe that having HIPAA-compliant policies and procedures in place meets the totality of their HIPAA obligations. HIPAA policies are just one element of meeting HIPAA’s mandates. Like all compliance efforts, an organization’s written policies and procedures are only effective when properly implemented. It is likely that Presence maintained HIPAA policies that mandated the required notifications within the 60-day period, Presence failed in its compliance with such policies.
If your organization has not already done so for 2017, now is the time to: (i) review HIPAA policies and procedures for consistency with HIPAA’s requirements (ii) retrain staff regarding what is required under HIPAA and your organization’s specific procedures to implement its requirements; and (iii) review the oversight and management of your organization’s process for identifying, investigating, disclosing, and documenting HIPAA breaches and security incidents.
Roetzel is available to assist in your HIPAA compliance efforts. Please contact any of the listed attorneys for more information on how we may be of service.View PDF