Eric Fader was quoted in a January 17 article, “HHS Pact Shows Data Breach Reporting Cant Fall Off Radar,” published in Law360. The article discussed the groundbreaking $475,000 settlement that Presence Health, an Illinois health system, reached with the Department of Health and Human Services Office for Civil Rights (OCR) for failing to report a data breach in a timely manner.
This incident was a pure privacy issue, Eric told Law360, rather than one involving potential identity theft. “Still, OCR is using it as an example and a warning to all providers that timely breach notification is critical so that the affected parties can take immediate action to protect themselves, such as changing passwords and signing up for credit monitoring services.”
Eric also pointed out that the Resolution Agreement Presence entered into with the OCR mentioned their late reporting of prior breaches in 2015 and 2016. “Given their recidivism, they may have gotten off lightly with a fine of only $475,000,” he observed.
While the jury is still out on whether OCR will publicize more actions specifically targeting breach notifications in the future, Eric noted that the Presence case presented a “simple enough fact situation that the OCR may feel that theyve made their point.”
Looking forward, Eric predicted that were likely to see a continued high level of HIPAA enforcement activity. “Just when one might think that the OCR must have publicized a settlement for every major category of HIPAA violation by now, an announcement like this one is a reminder that their educational efforts are not complete,” Eric said. “It will be interesting to see whats left.”