Long Term Care & Senior Living Blog

Don’t let your clients get caught paying a “big” settlement for failing to report a HIPAA breach! For the first time, the Office of Civil Rights (OCR) has announced a HIPAA settlement with a provider who failed to provide a timely breach report. Presence Health, a health network serving Illinois with approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, has been ordered to pay a $475,000 HIPAA settlement and being directed to implement a corrective action plan because it failed to report a breach in a timely manner.

The Omnibus Final Rule (Final Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was issued in January 2013 and became effective on March 26, 2013 with a general compliance date of September 23, 2013. However, Covered Entities were given additional time to get their pre-Final Rule Business Associate Agreements (BAAs) in compliance. That compliance deadline is fast approaching on September 23, 2014.

Today, the HHS Press office released notice of a settlement of $800,000 with Parkview Health System, Inc. (Parkview) for potential HIPAA violations. This settlement relates to a complaint going back to September 2008, when Parkview received between 5,000-8,000 patient records from a retiring physician. Parkview received the medical records as part of the physician’s transition to retirement, while Parkview decided whether to purchase some of the physician’s practice.

Hershey Medical Center announced that it will notify 1,801 patients of a data breach. This privacy breach arose out of an employee’s action, which involved taking data home on a removable storage device to work on a personal computer at home after hours. The employee then used his personal email to send updated data to doctors at the medical center. Because the employee worked with the data on devices and systems without the safeguards and controls of the workplace, the medical center could not rule out the possibility of unauthorized access of the information. While Hershey Medical Center did not believe an unauthorized person accessed the information, it felt it needed to notify the patients.