$2.175M HIPAA settlement highlights breach reporting
Last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its settlement with Sentara Hospitals for failing to properly report a breach and for allowing its parent corporation to create, receive, maintain or transmit protected health information (PHI) of Sentara affiliated hospitals without entering into a business associate agreement (BAA).
The settlement arose out of the mailing of billing statements to incorrect addresses, disclosing PHI of 577 individuals. According to the press release, Sentara undercounted the number of affected individuals due to its mistaken conclusion that only disclosures of patient diagnosis, treatment information or other medical information were required to be reported. As a result, Sentara reported the number of affected individuals as eight, rather than the 577 individuals whose names, account numbers and dates of service were mailed to the wrong addresses and were therefore required to be reported under the Breach Notification Rule. The failure to recognize PHI was exacerbated by the refusal to properly report the breach even after being advised by OCR to do so.
This settlement highlights the importance of performing an appropriate and prompt risk assessment to determine whether a “breach” of PHI occurred and satisfying related reporting obligations under the Breach Notification Rule and state law. The announcement also serves as another reminder for covered entities and business associates to identify their business associate relationships and enter into a BAA documenting each business associate relationship.
Sentara agreed to pay $2.175 million and undertake a corrective action plan with two years of monitoring.
In the press release, Roger Severino, OCR Director, warned that “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
For more information, please contact one of the attorneys listed below.