Long Term Care & Senior Living Blog

As a helpful reminder, clients need to be aware that the March 1, 2017 deadline for reporting 2016 HIPAA breaches is fast approaching. March 1, 2017 is the Deadline for Reporting 2016 HIPAA Breaches Affecting Fewer than 500 Individuals by Covered Entities to the OCR. Click here for a link to the OCR portal to file year end breach reports. Each year, covered entities are required to file a report within 60 days of year end if the covered entity experienced a breach during the prior year affecting fewer than 500 individuals.

Don’t let your clients get caught paying a “big” settlement for failing to report a HIPAA breach! For the first time, the Office of Civil Rights (OCR) has announced a HIPAA settlement with a provider who failed to provide a timely breach report. Presence Health, a health network serving Illinois with approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, has been ordered to pay a $475,000 HIPAA settlement and being directed to implement a corrective action plan because it failed to report a breach in a timely manner.

On June 29, 2016, the Office of Civil Rights (OCR) announced a Resolution Agreement it entered with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) a business associate of six nursing homes. This Resolution Agreement included a monetary payment of $650,000 and a Corrective Action Plan (CAP). The CAP requires CHCS to conduct a risk analysis and risk management, to develop and maintain written policies and procedures as well as to train all members of the CHCS workforce with access to ePHI within 60 days of the CAP in compliance with HIPAA, and to submit annual reports and attestation of CHCS’ compliance with the CAP for two years following the execution date of the Resolution Agreement.

In 2011-2012, the U.S. Department of Health and Human Services Office for Civil Rights conducted a pilot audit program (Phase 1) to evaluate covered entities compliance with HIPAA privacy, security and breach notification rules. The results of those audits...

Covered entities must submit annual report to the OCR by March 1, 2015 for breaches affecting fewer than 500 individuals. Breach notification obligations differ depending on whether the breach affects 500 or more individuals or fewer than 500 individuals.