Presence Health, one of the largest healthcare networks in Illinois, has agreed to pay a $475,000 fine for failing to report a breach of unsecured protected health information in a timely manner.
Officials at the Department of Health and Human Services, Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act, noted it is the first settlement based on untimely reporting.
On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, the health system discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Ill. The information consisted of the affected individuals' names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.
OCR's investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach – as required by law – each of the 836 individuals affected.
"Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule's timeliness requirements" OCR Director Jocelyn Samuels said in a statement. "Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm."