Interactive Counsel

Arent Fox's interactive media law blog - latest news and trends in advertising, data security & privacy, and IP.

Interactive Counsel

Life’s a Breach - Sitting on that HIPAA Breach Notification Could Burn You


Life’s a Breach - Sitting on that HIPAA Breach Notification Could Burn You

What’s the News?

On January 9, 2017, Presence Health agreed to settle with the U.S. Department of Health and Human Services (HHS) potential violations under the Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely.

Presence Health is a health care system in Illinois. The alleged HIPAA violations arose from a security breach that occurred sometime in October 2013, involving lost paper-based operating room schedules that contained the protected health information (PHI) of 836 individuals. Under HIPAA, Presence Health had an obligation to notify affected individuals, the media, and HHS without unreasonable delay and no later than 60 calendar days after discovering the breach. HHS found that Presence Health provided notifications to the affected individuals 104 days after discovering the breach; to the media, 106 days after; and to HHS, 101 days after. During the course of its investigation, HHS also uncovered that Presence Health failed to provide timely breach notification for other breaches in 2015 and 2016.

Under the settlement, Presence Health has agreed to pay HHS $475,000 and comply with a comprehensive Corrective Action Plan (CAP). The CAP requires Presence Health to revise its existing policies and procedures relating to breach notification to comply with the Breach Notification Rule; revise existing policies and procedures relating to sanctions against workforce members who fail to comply with HIPAA rules; forward revised policies to HHS within 60 days for HHS’ review and approval; and adopt the policies and procedures within 30 days of HHS’ approval.

What’s the Takeaway?

This enforcement action highlights two important takeaways:

  1. The importance of complying with HIPAA rules down to the specific details. Here, the Breach Notification Rule specifies a timeline for providing notification: without unreasonable delay and no later than 60 calendar days after discovering the breach. No feet-dragging allowed when reporting HIPAA breaches. 
  2. Having policies and procedures to cover breach notification (and other HIPAA requirements) is not enough. Your HIPAA policies and procedures not only have to be compliant, but they also must be implemented accordingly. That means (among other things) reporting breaches within the deadline and, as detailed in the CAP here, imposing sanctions on workforce members that fail to comply with HIPAA-related policies and procedures.

Arent Fox’s Privacy, Cybersecurity, and Health care groups monitor developments in the health care data protection field and regularly advise clients on compliance with HIPAA and other data security requirements. If you have any questions about the topic covered here or other matters, please contact Sarah L. Bruno in our San Francisco office; Stephanie Trunk and Samuel Cohen in our Washington, D.C. office, Thomas Jeffry in our Los Angeles office, or the Arent Fox professional who normally handles your matters.



Add this blog to your RSS feed reader.

Arent Fox In Your Inbox
To subscribe to Arent Fox Alerts and other news, click here.


Arent Fox LLP, founded in 1942, is internationally recognized in core practice areas where business and government intersect. With more than 350 lawyers, the firm provides strategic legal counsel and multidisciplinary solutions to clients that range from Fortune 500 corporations to trade associations. The firm has offices in Los Angeles, New York, San Francisco, and Washington, DC.