A delay in reporting a HIPAA violation can result in a significant monetary penalty. That was the message sent by the Office for Civil Rights (OCR), which recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). According to the OCR, Presence Health (a large health care network in Illinois) has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. OCR stated that, with this settlement amount, it balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentivize breach reporting altogether.

Interestingly, the breach stemmed not from a cyber-attack but from the loss of paper-based operating schedules at a surgery center that included the PHI of 836 patients, such as their names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. Presence Health apparently discovered the breach on October 22, 2013, but did not report it to OCR until January 31, 2014, over 90 days later. Under HIPAA, breach notifications are to be made to affected individuals, OCR, and also prominent media outlets (required for breaches affecting 500 or more individuals), and must be made without unreasonable delay and within 60 days of discovering the breach.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” said OCR Director Jocelyn Samuels, pointing out that affected individuals need prompt notice so they can take action to help mitigate any potential harm caused by the breach. Organizations would be wise to heed this advice and avoid any unwanted “presents” from OCR.