Sentara Hospitals to pay $2.175 million penalties for potential violation of HIPAA breach protection and privacy rules. Sentara operates 12 acute care hospitals that have more than 300 care facilities around Virginia and North Carolina.
In April of 2017, the U.S Department of Health and Human Services (HHS) received a complaint that Sentara has sent a bill to an individual that contains another patient’s protected health information (PHI).
The Office for Civil Rights (OCR) has launched an investigation on this, Sentara reported OCR that only 8 individuals were affected, but the investigation reveals that “Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.”
Sentara Hospitals found to have the billing statements for 577 patients merged with 16,342 different guarantor’s mailing labels, which results in the disclosure of PHI.
According to the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, that requires every entity covered by HIPAA to provide notification following a breach of unsecured protected health information.
HHS said that “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.”
OCR investigation also found that “Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.”
Now Sentara agreed to pay $2.175 million monetary settlement and to take corrective action plans that include two years of monitoring.
HIPAA (Health Insurance Portability and Accountability Act) provides data privacy and security for protecting individuals’ health information called “Protected Health Information (PHI)”. HHS and the Office for Civil Rights (OCR) are responsible for implementing the HIPAA Privacy Rule.
“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR,” said OCR Director Roger Severino.