ALERT: First HIPAA Fine of 2017: HIPAA Violation of Breach Notification Rule
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first HIPAA violation settlement of 2017 with Presence Health for $475,000. This landmark fine is the first in HIPAA enforcement history for a failure to notify patients of a breach of unsecured protected health information (PHI). PHI is any health data containing identifiable information like dates of birth, names, addresses, etc. Over 800 individuals were affected.
Changes in HIPAA Violation Enforcement
Presence Health is a large healthcare network based in Illinois. Presence runs physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services.
In the past, medical specialties like behavioral health services have been largely spared from large-scale OCR enforcement. But this fine marks a new trend in HIPAA enforcement–moving away from traditional large-scale enforcement, into more niche health care sectors. Because of the volume of patient data that behavioral health specialists handle, they find themselves particularly at risk of a breach of unsecured PHI, just like the one that affected Presence Health. In response to the settlement, Jocelyn Samuels, Director of OCR stated that “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
This unprecedented settlement action is a strong indication from OCR that previously uncharacteristic enforcement efforts are going to become commonplace in the months and years ahead.
A spokesperson from Presence Health commented on the settlement, saying:
At Presence Health patient privacy is a top priority. This is why we are working diligently with the OCR on all steps required under the corrective action plan; including additional associate training in HIPAA policies and procedures. This is the culmination of a several year process working with the OCR to resolve a matter we voluntarily report to the OCR in 2014 related to an isolated incident involving paper records at a surgery center located in Joliet, Illinois. This incident did not involve any electronic records and did not involve any disclosure of patient contact or financial information. We are confident that reports on our progress to quickly implement revised policies and procedures will be positive.
HIPAA Violation Resources
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with Breach Notification management through The Guard™. The Guard is a web-based HIPAA compliance solution. Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. If a breach occurs, users can contact their Coach for a step-by-step walkthrough of the notification and remediation process–ensuring that patients are notified and proper federal protocol is followed. With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure. For more information about what you can do to protect your behavioral health practice, check out these upcoming HIPAA educational webinars.