Late Breach Notification Leads to Half a Million Dollar HIPAA Settlement

Failure by a covered entity to timely report a breach of protected health information (PHI) resulted in the first of its kind settlement in the amount of $475,000.

In the settlement the Office for Civil Rights (OCR) alleged that the covered entity failed to timely notify in writing individuals and the media as required by the Breach Notification Rule. Under the requirements of the Breach Notification Rule a covered entity has an obligation to notify each affected individual of the breach without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. In the settlement, OCR alleged that the covered entity provided an untimely notice which was 104 calendar days after discovery of the breach.

At issue were paper-based operating room schedules containing PHI of 836 individuals that went missing from a surgery center. The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.
Without admitting liability, the covered entity settled with OCR for $475,000 and agreed to enter into a corrective action plan (CAP). The CAP requires that the covered entity, among other things, revise its existing policies and procedures with respect to the Breach Notification Rule, sanction workforce members who fail to comply with the requirements of the Privacy and Security Rule, provide OCR with the revised policies and procedures for the agency’s approval, train the workforce on covered entity’s policies, and provide an report on the CAP implementation to the OCR. The covered entity is under the provisions of the CAP for six years.

If you have questions regarding the recent settlement, HIPAA Privacy and Security Rules, the Breach Notification Rule or New Jersey privacy rules, please contact our office.