Close Server: KOPWWW05 | Not logged in


Covered Entities Must Report HIPAA Breaches Timely

When HIPAA breaches occur, a lot is on the line for patients and healthcare providers alike.

Presence Health Network has agreed to pay $475,000 to the Department of Health and Human Services (HHS) for failing to timely report the breach of unsecured protected health information. While this is the first enforcement action based upon failing to comply with the breach notification requirements, it probably will not be the last.

The breach at Presence Health Network involved the loss of paper operating room schedules containing the names, dates of birth, medical record numbers, dates of surgery and other individually identifiable health information of 836 individuals. The Regulations that implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA) include specific requirements for reporting the breach of unsecured PHI. Under those regulations, covered entities must notify every individual patient of any breach of unsecured protected health information (PHI) "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." This requirement applies even if the breach only involves one unsecured record containing PHI.

If the breach involves 500 or more individuals, the covered entity must also notify the Secretary of HHS contemporaneously with the notice to the affected individuals. The covered entity must also notify the media if the breach involves more than 500 residents of a state or jurisdiction. The notice to the media must also be made "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." The only exception to compliance with these time requirements is official notice to the covered entity by a law enforcement agency that reporting the breach would impede a criminal investigation.

According to the Resolution Agreement, Presence Health Network did not notify the affected individuals until 104 days after the breach was discovered, Presence did not report the beach to the media until 106 days after the breach was discovered and Presence did not notify the Secretary of HHS until 101 days after the breach was discovered. Each day that Presence failed to comply with the breach notification requirements is considered a separate violation by HHS.

SEE ALSO: Protect Your Patients' Information

When a covered entity reports a breach to the Secretary of HHS, the breach is investigated. A covered entity reporting a breach soon learns that the investigation is not limited to the specific breach reported by the covered entity. The investigation may also include an examination of the policies and procedures of the covered entity, as well as the reports of other breaches by the covered entity. In the case of Presence Health Network, the HHS investigation revealed that Presence had failed to provide timely notice with regards to prior breaches as well.

The settlement between Presence Health Network and HHS requires Presence to enter a Corrective Action Plan with HHS. The Corrective Action Plan requires Presence to revise its policies and procedures concerning compliance with the HIPAA Breach Notification Rules, and Presence is required to submit its revised policies and procedures to HHS for approval. Once the revised policies and procedures are approved by HHS, Presence is required to provide training to its personnel regarding the revised policies and procedures.

Presence must also obtain HHS approval of the training to be provided to its personnel. The expense for Presence to comply with the Corrective Action Plan will be in addition to the expenses it already incurred when it provided notice of the actual breach. The expense of providing breach notifications is currently estimated at between $200 and $300 per record.

Every covered entity needs to make sure that its policies and procedures concerning compliance with the HIPAA regulations include the reporting requirements. Covered entities also need to make sure the policies and procedures delineate the responsibilities of personnel charged with investigating potential breaches.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

You Might Also Like...

Legal Risks in Patient Non-Compliance

Often, a practitioner's only recourse is to attempt to educate the noncompliant patient .

Subpoenas for Patient Records

Not all subpoenas are equal under HIPAA.

Confidential Health Information

Employer liability for employee's intentional misuse of protected health information.

Regulating Employees Off the Clock

Can employees be terminated for off-duty behaviors?

Legally Speaking Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company