The Office of Civil Rights (OCR) first HIPAA settlement of 2017 is based on a failure to report a breach of health information in a timely manner. The settlement was reached with Presence Health, a large health care network that operates in approximately 150 locations in Illinois. Presence Health has agreed to settle the potential violations by paying a fine of $475,000 and implementing a corrective action plan to deal with this problem in the future.
The settlement stems from a breach of personal health information (PHI) of 836 people. OCR received notification of the breach on Jan. 30, 2014 and upon further investigation determined that Presence took 104 calendar days to notify affected individuals. This fell far outside the time frame of 60 calendar days that is required under the HIPAA Breach Notification Rule. Timely reporting of a breach is important so that those impacted by the breach can make sure that information associated with them has not been compromised in some way.
Being able to quickly and properly report a breach to affected customers is not a concern that is limited to health information governed by HIPAA. Many states have their own breach notification laws that require notification to be expedient after discovery of a loss of certain categories of data. One way to make sure your company can properly respond to the time-crunch and pressure of a breach is to prepare in advance with the creation of an incident response plan.
Creating an incident response plan can help an organization avoid fines from regulators as well as be more prepared for when a breach occurs. There are forty-seven states with their own version of a breach notification law and that does not include the federal requirements for certain categories of information. Navigating the multitude of laws that surround a breach can be daunting but with the creation of an incident response plan you can lessen that difficulty and prepare your organization to get through it.