ARTICLE
12 January 2017

Delayed Breach Notice Costs Illinois Health System

DP
Day Pitney LLP

Contributor

Day Pitney LLP logo
Day Pitney LLP is a full-service law firm with more than 300 attorneys in Boston, Connecticut, Florida, New Jersey, New York and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations as well as emerging and middle-market companies. With one of the largest individual clients practices on the East Coast, the firm also has extensive experience assisting individuals and their families, fiduciaries and tax-exempt entities plan for the future.
Explore Firm Details
Presence Health, an Illinois health system, reached a $475,000 settlement with the Department of Health and Human Services' Office for Civil Rights (OCR) for failing to report a data breach...
United States Food, Drugs, Healthcare, Life Sciences
Person photo placeholder
Authors

Presence Health, an Illinois health system, reached a $475,000 settlement with the Department of Health and Human Services' Office for Civil Rights (OCR) for failing to report a data breach in a timely manner. The OCR's January 9 press release noted that this was the first such enforcement action.

Eric Fader's comments on the settlement appeared in a January 10 article, "Delayed Breach Notice Costs Illinois Health System," published in Bloomberg BNA's Privacy Law Watch and Health Care Daily Report. Eric told Bloomberg BNA that in his view, the failure to notify the OCR timely is not as big a deal as other types of HIPAA violations, but a failure to notify the individuals affected by a data breach "without unreasonable delay" can be a major problem. This particular breach appears not to have involved patients' social security numbers, making it more of a pure privacy issue than a risk of identity theft, but generally speaking a delay in notifying the parties affected by a breach can prevent them from taking immediate action to protect themselves, like changing passwords, signing up for credit monitoring services, etc.

Eric said he doesn't really expect more of this type of settlement – it is a simple enough fact situation that the OCR may feel that they've made their point. He speculated that if they do choose to go back to the well on breach notifications, the next announced settlement might involve a failure to notify the OCR of a smaller (under 500 person) breach within 60 days after the end of the calendar year in which it occurred.

Eric found it noteworthy that the OCR chose to publicize a settlement of a violation that involved paper records, after focusing recently on breaches of electronic PHI. The last settlement announcements that involved paper were the Triple-S settlement in 11/15 (mailed pamphlets, discussed here) and the Parkview Health System settlement in 6/14 (cardboard boxes of records dumped in a driveway, discussed here).

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Day Pitney LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More