Time is of the Essence When Reporting a Breach of PHI

January 11, 2017 | By Lawrence J. Tabas

The failure to timely report a breach of unsecured protected health information (PHI) has cost Presence Health (one of the largest health systems in Illinois) almost half of a million dollars.

Earlier this month, Presence Health agreed to pay $475,000 and enter into a corrective action plan (CAP) with the Office for Civil Rights (OCR) based upon its failure to timely report a data breach in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and HIPAA’s Breach Notification Rule.

On October 22 2013, Presence Health discovered that paper-based operating room schedules were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The schedules contained PHI, including the names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia used for 836 Presence Health patients. Presence Health did not notify OCR of the data breach until January 31, 2014 when Presence Health submitted a breach notification report.

During its subsequent investigation, OCR found that Presence Health failed to timely notify: (i) each of the 836 individuals affected by the breach, (ii) prominent media outlet(s), and (iii) OCR. HIPAA requires covered entities (and business associates) to report breaches without unreasonably delay and in no case later than 60 calendar days after discovery of a breach.

OCR Director Jocelyn Samuels said “[c]overed entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirement…Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The Presence Health settlement and CAP provide an important lesson for covered entities.

A breach of PHI can occur at any time, even if it is unintentional and outside of a covered entity’s control. As such, covered entities need to be ready. Covered entities need to have policies and procedures in place so that they can promptly determine whether an incident constitutes a breach of PHI and if it does, they can respond appropriately under the Breach Notification Rule.

If your organization does not have appropriate policies and procedures in place, or if your organization needs help in responding to a breach, contact the Health Law Gurus.

To read a copy of the Presence press release, click here.

To read a copy of the Resolution Agreement and CAP, click here.


About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author