Presence Health, an Illinois health system, reached a $475,000 settlement with the Department of Health and Human Services’ Office for Civil Rights (OCR) for failing to report a data breach in a timely manner. The OCR’s January 9 press release noted that this was the first such enforcement action.
Eric Fader’s comments on the settlement appeared in a January 10 article, “Delayed Breach Notice Costs Illinois Health System,” published in Bloomberg BNA’s Privacy Law Watch and Health Care Daily Report. Eric told Bloomberg BNA that in his view, the failure to notify the OCR timely is not as big a deal as other types of HIPAA violations, but a failure to notify the individuals affected by a data breach “without unreasonable delay” can be a major problem. This particular breach appears not to have involved patients’ social security numbers, making it more of a pure privacy issue than a risk of identity theft, but generally speaking a delay in notifying the parties affected by a breach can prevent them from taking immediate action to protect themselves, like changing passwords, signing up for credit monitoring services, etc.
Eric said he doesn’t really expect more of this type of settlement – it is a simple enough fact situation that the OCR may feel that they’ve made their point. He speculated that if they do choose to go back to the well on breach notifications, the next announced settlement might involve a failure to notify the OCR of a smaller (under 500 person) breach within 60 days after the end of the calendar year in which it occurred.
Eric found it noteworthy that the OCR chose to publicize a settlement of a violation that involved paper records, after focusing recently on breaches of electronic PHI. The last settlement announcements that involved paper were the Triple-S settlement in 11/15 (mailed pamphlets, discussed here) and the Parkview Health System settlement in 6/14 (cardboard boxes of records dumped in a driveway, discussed here).