On January 9, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) took action against a health system for non-timely reporting of a breach of protected health information. It was the first time the OCR opted to take an enforcement action in response to this type of infraction—perhaps suggesting a desire to set new precedent in the final days of the Obama administration.
The incident originated in late 2013, when Presence Health—an Illinois health system—learned that it lost several hundred operating room schedules and then failed to notify OCR within 60 days, as required. The OCR, which enforces privacy violations related to the Health Insurance Portability and Accountability Act (HIPAA), took action against Presence Health for non-timely reporting of a breach of protected health information (PHI). In a settlement with OCR, the health system agreed to pay $475,000 and implement an eight-point corrective action plan. In its announcement of the settlement, OCR noted that this is the first time it has taken action against an entity for non-timely reporting of a PHI breach.
The two-year corrective action plan includes requirements for Presence Health to draft and distribute new policies and procedures that comply with the requirements of the breach notification rule, with such policies to be approved by HHS and reviewed annually by Presence Health. Additionally, Presence Health is required to draft, and submit for HHS approval, training materials that would implement the newly-drafted policies and procedures, with such training to be given to applicable Presence Health employees annually during the term of the corrective action plan.
According to the resolution agreement, Presence Health lost documents that contained protected health information and then failed to report the breach within the required timeframe. OCR, as the enforcer of HIPAA breaches, has authority to levy fines and other punishments for such breaches. Nonetheless, it might be considered a breach of etiquette for the OCR to take a novel enforcement action in the final days of an administration when they have declined to act on the same or similar violations for years. Senior administration regulators are setting an important precedent on their way out the door.
Large data breaches, both in the health sphere and more generally, have become increasingly common in the last five years (OCR publishes a list of data breaches that affect more than 500 individuals). Due to the increased publicity and scope of data breaches, the precedent-setting action by OCR can be seen as part of a broader response to data privacy and security issues, and a resulting desire to encourage transparency on the part of dataholders.
All of this suggests that after years of polite non-enforcement, a breach of etiquette in the final days of an administration could change breach enforcement for years to come.