You’ll Pay for a Delay

town-sign-1865304_640The Office for Civil Rights did not wait long into 2017 to issue its first settlement for a HIPAA related breach. The honor for Presence Health came only nine days into the year. The settlement, as so many before, provides a stark statement that delays in providing breach notification are unacceptable.

For background, Presence Health notified OCR about missing paper operating room schedules on January 31, 2014.  However, Presence Health actually discovered the breach on October 22, 2013. Compounding the problem, Presence Health did not notify the individuals affected until February 3, 2014, and the local media until February 5, 2014. Both the individual and media notices occurred after notice to OCR. As always happens, OCR investigated Presence Health and found further issues of non-compliance. Specifically, OCR determined that Presence Health delayed breach notifications to individuals in multiple circumstances.

As would be expected, OCR did not take kindly to this pattern of behavior. OCR focused on the notice that lead to the investigation but clearly did not condone the delayed notifications. The non-compliance will cost Presence Health $475,000. In the grand scheme of settlements, this falls on the somewhat lighter side. A factor behind the amount could be that the October 22, 2013 breach impacted 836 individuals, which is not a big breach quantity wise. This does not touch upon the fact that any breach no matter what size carries serious implications for the impacted individuals.

Going forward, organizations must diligently investigate and determine whether a breach occurred and provide timely notification, where appropriate. Any delay will only result in higher costs to an organization. Namely, the cost of actually providing the notice could be compounded by a fine for sending the notice too late.

Another consequence of the settlement may be the inclusion of shorter notification terms within business associate agreements, whether from covered entity to business associate or business associate to subcontractor. Debates have arisen as to whether a double timeframe could apply, but rest assured that no one will wait to play with fire at this point.

Overall, the settlement should not impact organizations too much. It would already be a best practice to notify individuals of a breach as soon as possible because notification ties to trust with patients/customers. No organization wants to be seen as not taking privacy and security seriously. Bottom line, it is incumbent to fully understand all of HIPAA’s requirements and dutifully follow them.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, HITECH, Regulations and tagged , , , , . Bookmark the permalink.

One Response to You’ll Pay for a Delay

  1. Pingback: HITECH Answers: Meaningful Use, EHR, HIPAA News - You’ll Pay for a Delay

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s