One of the largest health care providers in the state of Illinois failed to report a data breach, leading to the compromise of hundreds of patient records and a massive federal penalty.
Giant Health Care Provider Loses Surgical Schedule
On October 22, 2013, Presence Health, which operates about 150 health care facilities including 11 hospitals and 27 long-term-care centers, misplaced a paper operating room schedule. The document included patient names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia scheduled for Presence St. Joseph Hospital in Joliet, Illinois. The schedule contained the Protected Health Information (PHI) of 836 patients.
A Breach And A Slow Response
Allowing unauthorized parties access to PHI is a violation of the Health Insurance Portability and Accountability Act (HIPAA). More egregious was Presence Health’s failure to notify, in a timely manner, the Office for Civil Rights (OCR) or any of the 836 patients of the breach. The federal Breach Notification Rule requires any privacy breach to be reported to the OCR and affected patients within 60 days. For breaches affecting more than 500 people, the HIPAA-covered entity must also notify major media outlets.
Presence Health waited until January 31, 2014, to notify the OCR. The violation was avoidable.
The OCR investigation was the first involving a charge of slow breach notification.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said then-OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
A Costly Failure
As a result of Presence Health’s slow response to the PHI breach, the OCR settled its case with a whopping $475,000 monetary charge. In addition to paying nearly half a million dollars for its failure, Presence Health was forced to adhere to a lengthy Corrective Action Plan.
Is your organization prepared for a breach? Have you performed a HIPAA Risk Analysis? If you’re not 100 percent certain, we can help.