On January 9, 2017, HHS announced a $475,000 settlement with an Illinois-based nonprofit health care system involving potential violations of HIPAA (see the HIPAA Privacy, Security, and Breach Notification Toolkit). HHS's investigation occurred after the health care system, a HIPAA covered entity (CE), informed the government of a breach of unsecured protected health information (PHI) at one of its facilities (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Enforcement and Group Health Plans: Penalties and Investigations).

In January 2014, the CE notified HHS of its discovery—several months earlier, in October 2013—that paper-based operating room schedules containing the PHI of 836 individuals were missing from one of its surgery centers. The information consisted of individuals' names, birth dates, medical record numbers, dates and types of procedures, surgeon names, and types of anesthesia. The CE's report acknowledged delays in the CE's provision of HIPAA breach notifications, apparently owing to miscommunications among the CE's workforce members.

While investigating this breach, HHS learned that the CE also provided untimely written breach notifications to individuals whose PHI was compromised in the context of other reported breaches affecting fewer than 500 individuals, which were submitted in 2015 and 2016.

The CE did not notify individuals of the October 2013 breach until February 3, 2014 (that is, 104 calendar days after it discovered the breach, and exceeding the 60-calendar-day deadline for providing breach notification in this context). Also, the CE failed to timely provide required notice to the media and HHS of the October 2013 breach (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans: Notification to the Media and Notification to HHS). HHS noted that each day that the CE failed to provide these required notifications was a separate violation of HIPAA's breach notification rules.

In addition to the $475,000 payment, the CE must adhere to a multi-faceted corrective action plan (CAP). For example, the CE must revise its existing policies and procedures to comply with HIPAA's breach notification rules. In particular, the policies and procedures must specify the CE's workforce members' roles and responsibilities for:

The CE also must revise its policies and procedures so that appropriate sanctions are imposed on its workforce members who violate the policies and procedures. The CAP includes processes and deadlines for sending the revised policies and procedures to HHS for approval, and for finalizing, adopting, distributing, and updating the policies and procedures (which requires HHS's re-approval).

Additional CAP requirements apply to the CE's training materials regarding its policies and procedures (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).

According to HHS, this latest settlement is the first to be based on the untimely reporting of a breach involving unsecured PHI. Though this settlement involves the provider context, HHS's enforcement approach would apply just as readily to a group health plan (and HIPAA CE) that failed to timely provide a required HIPAA breach notification. In announcing the settlement, HHS implies that its amount reflected an attempt to penalize untimely breach reporting, but without disincentivizing breach reporting altogether. That may explain why the settlement amount is somewhat less than for other recent settlements (see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations).