The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued its eighth HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle possible breaches of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to remedy areas of noncompliance.
Sentara runs 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in these states. OCR began a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient reported receiving a bill from Sentara including another patient’s protected health information.
Sentara did make the breach known to OCR, but the breach report stated that only eight people had been impacted, when the mailing had been misdirected and 577 people had had some of their PHI impermissibly disclosed. OCR found that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels.
OCR informed Sentara that under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – notifications were required and that the breach total needed to be updated, but Sentara persisted in its refusal to update the breach report and issue alerts. Sentara maintained that since the bills only included names, account numbers, and dates of service, and not diagnoses, treatment information, and other medical data, it did not constitute a reportable breach.
OCR also discovered that Sentara Hospitals provides services for its member covered entities but had not entered into business associate agreements with its business associate until October 17, 2018.
Sentara Hospital’s parent group and business associate, Sentara Healthcare, had been allowed to create, receive, maintain, and share PHI on its behalf without a BAA being in place. Sentara Hospitals had therefore not received satisfactory assurances that PHI would be secured, in violation of 45 C.F.R. § 164.504(e)(2).
The corrective action plan requires Sentara Hospitals to review its policies and procedures and ensure they are compliant with HIPAA Rules. Policies and procedures must be reviewed and revised at least annually, or more often than that is appropriate. OCR will be scrutinizing Sentara’s compliance efforts for a period of two years from the start date of the corrective action plan.
OCR Director, Roger Severino said: “HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed. When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
The most recent settlement is another example of when HIPAA violations are uncovered in response to complaints from patients rather than data breach investigations. All it takes is for one patient to file a complaint about a possible HIPAA violation for a compliance review to be launched. These investigations can happen at any time, which shows how important it is for healthcare groups to ensure their policies and procedures fully meet the requirements of HIPAA.
To date in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve breaches of HIPAA Rules.