The HHS Office of Civil Rights (OCR) recently announced a settlement with Presence Health Network (Illinois) for failing to comply with the Data Breach Notification Rule because it failed to provide notice of a data breach within the required 60 days. Presence discovered on October 22, 2013, that paper-based Operating Room schedules containing PHI for 836 individuals were missing from one of its Ambulatory Surgery Center. Presence took over 100 days to notify affected individuals, the media and HHS of the breach. The explanation for the delay was miscommunication among staff who were responsible for the breach response. However, the OCR investigation revealed that Presence had failed to timely notify individuals of other data breaches in 2015 and 2016 after the 2013 breach indicating that Presence had not corrected its breach response processes. This is the first time that HHS has imposed sanctions on a HIPAA covered entity or business associate for failure to comply with the Data Breach Notification Rule.

The settlement imposes a fine of $475,000 on Presence. While substantial, this fine is much lower than it could have been considering that every day beyond the 60-day notification deadline constitutes a separate violation for each patient. In addition to the monetary penalty, Presence agreed to a 2-year Corrective Action Plan in which it must:

  1. Revise existing policies and procedures (within 60 days) to better identify the roles and responsibilities of workforce members in detecting, assessing and responding to suspected breaches;
  2. Revise existing policies and procedures (within 60 days) to require imposition of sanctions against workforce members who fail to comply with its policies and procedures for the use and disclosure of PHI and the detection, assessment and response to suspected breaches;
  3. Provide the revised policies and procedures to HHS for review and make any required revisions and resubmit to HHS within 21 days;
  4. Formally approve all revised policies and procedures within 30 days of agreeing to final language with HHS;
  5. Distribute all revised policies and procedures to workforce members within 30 days of approval;
  6. Review all relevant policies and procedures at least annually and update as necessary but only after sharing the proposed revisions with HHS and obtaining HHS approval;
  7. Conduct training for all relevant workforce members on the new policies and procedures;
  8. Notify HHS within 30 days of determining that a workforce member has failed to comply with any applicable policy and procedure related to a possible data breach. This notification must include a complete description of the event giving rise to the determination and describe the actions taken with respect to the workforce member.

These CAP obligations are extremely specific and provide HHS with extensive oversight of the provider's routine operations. Importantly, the CAP applies to all Presence entities, not just the ASC involved in the 2013 data breach. Failure to comply with the terms of the CAP will result in Presence being subject to the imposition of additional fines and penalties by OCR.

This "first-of-its-kind" settlement signals the clear intent of HHS to strictly enforce the 60-day timeline for data breach notification. We can expect to see additional settlements like this, perhaps with greater penalties. We urge all covered entities and all business associates to:

  • immediately review their data breach response plans;
  • conduct exercises to test those plans to determine how effective they are;
  • update the plans based on the results of this testing; and 
  • fully document all steps taken in this process in order to have a clear record of what steps they have taken.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.