The 8th HIPAA financial penalty of 2019 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Sentara Hospitals has made an agreement to pay a penalty of $2.175 million to settle potential HIPAA Privacy and Breach Notification Rules violations and to adopt a corrective action plan to deal with noncompliance areas.
HIPAA compliance is dependent on correct and timely self-reporting of breaches since patients and the public need to know if their sensitive information is exposed. If health care providers blatantly do not report breaches as demanded by law, they have to expect OCR’s tough enforcement action.
Sentara is operating 12 acute care hospitals within Virginia and North Carolina and has over 300 care facilities in each state. OCR started a compliance investigation because of a patient complaint received on April 17, 2017. The patient had alleged getting a bill from Sentara with the protected health information (PHI) of another patient.
Sentara reported the breach to OCR, but the breach report stated that merely 8 people were affected by the misdirected mailing and 577 people had some of their PHI impermissibly disclosed. OCR learned that the 577 patients’ information and the 16,342 different guarantor’s mailing labels had been merged.
OCR instructed Sentara that the HIPAA Breach Notification Rule (45 C.F.R. § 164.408) requires the notifications and the update of breach total, however, Sentara remained in its refusal to make an updated breach report and to issue notifications. Sentara said that since the bills just included names, account numbers, and dates of service, and not diagnoses, treatment data, and other medical information, it is not considered as a reportable breach.
OCR additionally learned that Sentara Hospitals offers services to its member covered entities even if there were no signed business associate agreements (BAA) yet with its business associate until October 17, 2018.
Sentara Healthcare, Sentara Hospital’s parent organization and business associate, was permitted to create, receive, maintain, and transmit PHI on its behalf even without BAA in place. Sentara Hospitals had consequently not obtained satisfactory assurances that PHI is secured, which violates 45 C.F.R. § 164.504(e)(2).
The corrective action plan necessitates Sentara Hospitals to modify its policies and procedures and make sure their compliance with HIPAA Regulations. Policies and procedures should be reviewed and modified at least yearly, or more frequently if suitable. OCR will be monitoring Sentara’s compliance initiatives for two years from the start of the corrective action plan.
The newest settlement is one more example of HIPAA violations uncovered because of patient complaints instead of data breach investigations. Just one patient who will submit a complaint regarding a potential HIPAA violation is enough to trigger a compliance review. These investigations can happen without notice, which demonstrates the importance for healthcare companies to make sure that their policies and procedures completely satisfy the HIPAA requirements.
So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.