Reporting a Breach

It may not always be clear what to do when you have a breach, but reporting a breach is one of the most important steps you can take.  In most cases, the practice is either not sure there was a breach, or they try to fix it real quick.  Here is some solid advice:  REPORT THE BREACH.  You have 60 days to report the breach.  Once you have been breached, the info is already compromised.  There really is nothing to wait for.  There are large HIPAA fines associated with not reporting a breach, and a facility in Illinois has been fined $475K.

From Healthcare IT News:  Presence Health, one of the largest healthcare networks in Illinois, has agreed to pay a $475,000 fine for failing to report a breach of unsecured protected health information in a timely manner. Officials at the Department of Health and Human Services, Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act, noted it is the first settlement based on untimely reporting.

On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, the health system discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Ill. The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia. 

OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach – as required by law – each of the 836 individuals affected.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” OCR Director Jocelyn Samuels said in a statement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm.”

Let’s face it.  No one like to report a breach.  As tempting as it may be to sweep it under the rug, think again.  I promise it will come back at you.  Report the breach.