Skip to Main Content
Services Talent Knowledge
Site Search

Blog Post

January 23, 2017

Time is Not on the Side of Provider With a HIPAA Breach

Time is not on the side of a provider who needs to report a HIPAA breach. The clock starts ticking on the date of discovery of the breach and requires notification to the U.S. Department of Health and Human Services if the breach is impacts 500 or more individuals “without unreasonable delay” and within no more than 60 calendar days. Now, for the first time, the U.S. Department of Health and Human Services has levied a fine against a provider who unintentionally failed to notify the agency within the 60 day period.

In a groundbreaking enforcement action, the agency’s Office for Civil Rights (OCR) recently fined an Illinois hospital network $475,000 for failing to report a breach of more than 800 patients’ health information until 110 days after discovering the breach. The delay by the hospital network Presence Health in informing OCR of a theft of a paper surgical schedule containing information regarding 836 patients was allegedly “due to miscommunications between its workforce members”. OCR also required Presence to revamp its privacy policies and retrain employees within 60 days of the settlement. The enforcement action is notable in that OCR meted out punishment for what is being described as an “unintentional” delay in reporting although the provider had delayed notification to patients in a previous breach that affected less than 500 patients.

It is easy enough for providers and business associates to miss the 60 day deadline if they fail to initiate an investigation immediately upon learning of a possible breach. Even when swift investigatory action occurs, gathering evidence and questioning employees takes time. And for providers and business associates who have already missed the 60 day deadline, this case may prove to be a disincentive to report. However, such entities are cautioned not to avoid a disclosure in order to prevent penalties by OCR. Keeping a lid on a HIPAA breach is a difficult thing to do, and its inevitable disclosure will turn an “unintentional “ delay into an “intentional” delay causing penalties to skyrocket when discovered by the government. Additionally, providers also run the risk of jeopardizing insurance coverage and increased patient lawsuits when the breach is not handled swiftly and pursuant to regulatory requirements.


Click here to sign up for alerts, blog posts, and firm news.


Sign up to receive our latest news via email

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas


View our Privacy Policy

Featured Media


COVID-19: OPWDD Updates Billing Guidance for Certain Providers


COVID-19: Eligible Massachusetts Businesses Begin Reopening Under Commonwealth's Four-Phase Plan


NYS Statutes of Limitation Further Tolled During COVID-19


COVID-19: Eligible Connecticut Businesses to Open May 20


COVID-19: SBA Releases Highly Anticipated PPP Loan Forgiveness Application


NYS COVID-19 Administrative Orders Don't Require Parties to Appear for Remote Depositions

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out