First 2017 HIPAA Settlement Targets Behavioral Health, Healthcare Network
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first HIPAA settlement of 2017 with Presence Health for $475,000.This is the first fine in the history of HIPAA enforcement levied for a failure to notify over 800 patients of a breach of unsecured protected health information (PHI) in accordance with the standards of the HIPAA Breach Notification Rule. PHI includes any health data containing identifiable information like dates of birth, names, addresses, etc.
HIPAA Enforcement on the Rise
Presence Health is one of Illinois’ major healthcare networks. Presence operates physicians’ offices and health care centers and offers home care, hospice care, and behavioral health services, as well. Historically, medical specialists working in behavioral health services have been largely spared from large-scale HIPAA enforcement fines. But this fine suggests a growing trend in HIPAA enforcement–settlements are quickly moving away from traditional enforcement, into more niche health care sectors.
Behavioral Health specialists handle a large volume of patient data, which puts them in particular at risk of a breach of unsecured PHI, just like the one levied against Presence.In response to the settlement, Jocelyn Samuels, Director of OCR stated that “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
This unprecedented settlement action is a strong indication from OCR that historically uncharacteristic enforcement efforts are set to become an increasingly common occurrence.
A spokesperson from Presence Health commented on the settlement, saying: “At Presence Health patient privacy is a top priority. This is why we are working diligently with the OCR on all steps required under the corrective action plan; including additional associate training in HIPAA policies and procedures. This is the culmination of a several year process working with the OCR to resolve a matter we voluntarily report to the OCR in 2014 related to an isolated incident involving paper records at a surgery center located in Joliet, Illinois. This incident did not involve any electronic records and did not involve any disclosure of patient contact or financial information. We are confident that reports on our progress to quickly implement revised policies and procedures will be positive.”
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with Breach Notification management through The Guard™. The Guard is a web-based HIPAA compliance solution. Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. If a breach occurs, users can contact their Coach for a step-by-step walkthrough of the notification and remediation process–ensuring that patients are notified and proper federal protocol is followed. With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, check out these upcoming HIPAA educational webinars. Field your HIPAA concerns with our compliance experts and find out how simple compliance can be.