On November 27, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Sentara Hospitals (Sentara) has agreed to pay $2.175 million to OCR and adopt a corrective action plan that includes two years of monitoring to settle possible violations of HIPAA. Sentara has 12 acute care hospitals and more than 300 sites of care in Virginia and North Carolina.
In April 2017, OCR received a complaint that an individual received a bill from Sentara that contained PHI for another patient. Once OCR initiated an investigation to review the complaint, OCR determined that Sentara improperly disclosed PHI of 577 patients to wrong addresses. This occurred when Sentara accidentally merged these patients billing statements into mailing labels of more than 16,342 other individuals. Information included patient names, account numbers, or dates of services. Sentara, however, incorrectly concluded from its risk assessment that the improper disclosure leading to a breach actually only affected eight individuals. Specifically, Sentara wrongly believed that notification to OCR and affected individuals only had to be made if patient diagnosis, treatment information, or other medical information had been improperly disclosed.
Even after OCR advised Sentara of its duty to properly report the breach for the remaining 569 individuals, OCR noted that “Sentara persisted in its refusal to properly report the breach…” OCR’s investigation also led to OCR finding that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performs business associate services for Sentara, until October 17, 2018.
The penalty and corrective action plan is an important reminder to covered entities to accurately and timely report breaches to OCR. Under HIPAA, covered entities must perform comprehensive risk assessments when determining whether a breach occurred and thoroughly evaluate the probability that PHI had been compromised. Once a reportable breach has been determined, covered entities are required to notify OCR of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days following the breach. If a breach affects fewer than 500 individuals, a covered entity may notify OCR of such breach on an annual basis.
To drive the reporting requirement point further, OCR Director Roger Severino stated, “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
OCR’s press release about this settlement can be found here.