First HIPAA enforcement action for lack of timely breach notification settles for $475,000

In a landmark case, federal regulators have issued a $475,000 financial settlement and corrective action plan for Presence Health regarding its tardy notification for a paper records breach that affected approximately 800 individuals.

The Director of the Department of Health and Humans Service’s Office for Civil Rights (OCR), which enforces HIPAA, noted that companies “need to have a clear policy and procedures in place to respond to the [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][HIPAA] Breach Notification Rules’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

In addition to the financial payment, the resolution agreement between OCR and Presence Health calls for the organization to implement a corrective action plan that includes:

1. Review and revision of its existing policies and procedures related to breach notification;
2. Distributing the updated policies and procedures to Presence Health’s workforce; and
3. Providing training to Presence Health’s workforce pertaining to those policies and procedures.

Whether or not your Company is required to be HIPAA compliant, all Pennsylvania entities are subject to the PA – BREACH OF PERSONAL NOTIFICATION ACT. If your company has been breached you cannot bury your head in the sand; you must notify all potentially affected parties. Contact Layer 8 Security to assist in your Breach Notification Plan and stay ahead of the Authorities.

Just this month, we onboarded a new client that was breached and recognized that they had a legal requirement to notify all potentially affected individuals. While the task seemed both fatal to the company and overwhelming to its principals at first, once completed, the process left them with two distinct conclusions:

1. Employees, partners, and customers respected and appreciated the notification; and
2. A significant amount of friends and business counterparts admitted that they had been breached/hit with malware (including ransomware) and remain concerned/insecure about the lingering consequences of failing to act.

Of course, an ounce of protection is worth a pound of cure. Don’t wait to be breached, implement a Cyber Risk Management Program as soon as possible. To learn more about the HIPAA enforcement: https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html#

More to the point, to learn about what you should do, either in response or proactively, contact Layer 8 Security today.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

BACK TO BLOGS