The U.S. Department of Health and Human Services entered into its first settlement agreement with a covered entity for late notification of a HIPAA breach.
Presence Health in Illinois agreed to a $475,000 settlement of potential HIPAA violations. In October 2013, Presence Health discovered that operating room schedules containing protected health information of 836 individuals was missing from a surgery center. Presence Health notified HHS about the event in January 2014. When HHS investigated, it discovered that Presence Health failed to notify individuals impacted by the breach within 60 days of discovery and it failed to inform media outlets and HHS within this timeframe.
HHS determined that covered entities need to have policies and procedures in place to respond to the HIPAA breach notification rule timing requirements. Presence Health agreed to the settlement amount and to implement a corrective action plan.