An Illinois health system has been hit with a big fine from the federal government for violating patient privacy and exposing confidential patient data.
The U.S. Department of Health and Human Services Office for Civil Rights has fined Chicago-based Presence Health, which operates 11 hospitals and 27 long-term care and senior living facilities, $475,000 for a 2013 incident in which paper operating schedules for about 836 patients went missing.
The operating schedules included sensitive patient information including names, dates of birth, medical record numbers, and dates of procedures, types of procedures, surgeon names and types of anesthesia. The health system was fined for violating Health Insurance Portability and Accountability Act of 1996, or HIPAA, guidelines.
The operating room schedule records turned up missing in October 2013 from the Presence Health surgery center at St. Joseph’s hospital, a 480-bed hospital in Joliet, Ill. Presence Health was fined for violating HIPAA provisions that required it to notify patients within 60 days of the incident. The Office for Civil Rights and patients were not notified of the incident until February 2014, says Office for Civil Rights director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured private health information so they can take action that could help mitigate any potential harm caused by the breach,” Samuels says.
Presence has agreed to pay the fine and implement a corrective plan of action the health system worked out with the Office for Civil Rights. The plan includes updated staff training and more timely reporting procedures. The health system also calls the incident “isolated.”
“Because patient privacy is a top priority at Presence Health, we are working diligently with the OCR on all steps required under the corrective action plan, including additional associate training in HIPAA policies and procedures,” says a Presence Health spokesman. “This is the culmination of a several year process working with the OCR to resolve a matter we voluntarily reported to the OCR in 2014 related to an isolated incident involving paper records at a surgery center located in Joliet, Ill.”
The health system has yet to say if it has automated the process of tracking operating room schedules on paper, but did say the 2013 incident did not involve any online patient data.
“This incident did not involve any electronic records and did not involve any disclosure of patient contact or financial information,” the spokesman says. “We are confident that reports on our progress to quickly implement revised policies and procedures will be positive.”
Date: January 10, 2017