New York hospital waits 15 months to announce HIPAA breach, notify patients
The Samaritan Hospital in eastern New York, just outside of Albany may eventually face some hefty fines from the Office for Civil Rights as the hospital just Friday notified the public of a HIPAA privacy breach stemming from a November 2011 incident.
“We received an inquiry that suggested that protected health information contained in electronic medical records that related to a patient at Samaritan Hospital may have been improperly accessed by a supervisory nursing staff member employed at the Rensselaer County Jail,” Elmer Streeter, director of communications at St. Peter's Health Partners, the system Samaritan Hospital is part of, told the Troy Record.
[See also: HHS makes 'sweeping' changes to HIPAA.]
Despite the incident occurring more than 15 months ago, "Patients have not been notified," Streeter told Healthcare IT News. He expects letters will be sent to patients next week. When asked how many individuals were affected, Streeter would not confirm the number. "I can't tell you that," he said.
According to officials, when the 238-bed Samaritan hospital discovered the breach back in November 2011, hospital officials notified the sheriff's office, who then asked the hospital to refrain from notifying patients and the OCR, the Troy Record reports. "If a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply,” Streeter added.
However, according to the Breach Notification Rule, issued August 2009 as part of HIPAA, covered entities must notify patients of a breach "in no case later than 60 days following the discovery of a breach" and must include breach description; a description of the types of information involved; steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate, mitigate the harm, and prevent further breaches; as well as contact information for the covered entity. Furthermore, the covered entity must notify the media after a breach occurs involving more than 500 individuals, within 60 days, both notifications Samaritan Hospital failed provide.
If the recent past is any indication of what's slated for Samaritan Hospital, fines from OCR could indeed be in its future.
Just in January, Hospice of North Idaho agreed to pay $50,000 to settle HIPAA violations after the HHS said the group failed to conduct the proper risk analyses.
[See also: Lawyer: Ignore HIPAA at your own risk.]
Other fines incurred recently for HIPAA violations include $100,000 paid by the Phoenix Cardiac Surgery for posting patients' clinical appointments on their website; the Alaska Department of Health and Social Services handed over $1.7 million to HHS after the group failed to conduct proper risk analyses, addressed encryption of implemented device and media controls; and the $865,000 fined paid by the UCLA Health System over the improper disclosure of medical records.