Medical Provider To Pay $475,000 For Failing To Timely Report The Loss Of PHI

Written by: Richard Sheinis, Esq.

The importance of timely reporting breaches of Protected Health Information (“PHI”) is now underscored by the U.S. Department of Health and Human Services (“HHS”) first ever enforcement action against a medical provider for failing to timely report a breach. Presence Health, a health care network with approximately 150 locations, including hospitals, and long-term care and senior living facilities, has agreed to pay $475,000, and implement a corrective action plan for failing to notify patients within 60 days of discovering the breach.

The breach involved the loss of paper operating room schedules, which contained the PHI of 836 patients. The PHI included names, dates of birth, medical record numbers, and information about the procedures performed on each patient. The incident was discovered on October 22, 2013, but Presence Health did not file their breach notification report with HHS until 101 days later on January 31, 2014.

In addition to the $475,000 penalty, Presence Health’s corrective action plan requires them to revise policies and procedures, provide training to employees, and provide reports to HHS regarding its compliance with these requirements. Health care providers should remember that any breach affecting 500 or more individuals requires notification to patients, as well as notification to prominent media outlets, and the filing of the breach notification report with HHS “without unreasonable delay”, but in no case more than 60 days after the discovery of the breach.