First HIPAA settlement based on untimely reporting involved hard copy PHI

First HIPAA settlement based on untimely reporting involved hard copy PHI

hard copy PHIOccasionally we answer questions regarding what constitutes a reportable breach. Questions such as: Isn't it only a reportable breach if the incident involves electronic protected health information (ePHI)? What about paper? Should these types of incidents be handled internally and not require reporting?

Based on a recent U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announcement, both timely reporting and hard copy (paper) PHI are to be taken seriously. Moreover, this was the HIPAA settlement based on the untimely reporting of a breach of unsecured PHI.

OCR received a breach notification report on January 21, 2014 from Presence Health indicating that on October 22, 2013 Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center. The information consisted of the affected individuals' names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.

OCR determined that Presence failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

Ultimately, Presence health agreed to pay $475,000 and implement a corrective action plan to settle potential violations of the HIPAA Breach Notification Rule. 007A

Key Takeaways from OCR's Announcement

  1. OCR believes the settlement amount balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.
  2. Whether the impermissible access or disclosure of PHI is oral, electronic, or paper, you should ensure all incidents, breaches and complaints are properly researched.
  3. Notice must be provided without unreasonable delay within 60 days of discovering a breach to affected individuals, to OCR, and for breaches involving 500 or more individuals to prominent media outlets.

Healthcare Compliance Pros online breach log is a great place to log privacy and security incidents, patient complaints, and suspected breaches. From there you can opt to have one of our specialists review the report, determine if a breach did occur, provide notification and mitigation instructions to ensure you are in compliance with the Breach Notification Rule requirements, and to help your organization prevent an OCR settlement.

If you have any questions please do not hesitate to contact us, 1-855-427-0427 or [email protected].