The Department of Health and Human Services Office for Civil Rights (OCR) today announced its first HIPAA settlement for failure to provide timely breach notification. The settlement was with Presence Health Network (“Presence”), a Chicago area health system, and was based on notifying OCR, individuals, and the press 101 to 106 days after discovering that paper-based operating room schedules came up missing, rather than within 60 days after discovery, as required under the HIPAA Breach Notification Rule. During its investigation, OCR also discovered that on several occasions Presence was late in notifying individuals of smaller breaches.
This settlement provides another reminder of the importance of effective policies and procedures for responding to and reporting data breaches on a timely basis. The Resolution Agreement noted that each late day was a separate violation of the Breach Notification Rule. Presence agreed to pay $475,000 and implement a corrective action plan.
OCR’s press release and resolution agreement are available here