Sentara Pays $2.2M for Failing to Properly Report Data Breach to OCR
November 27, 2019 - Sentara Hospitals has settled with the Office for Civil Rights for a $2.175 million civil monetary penalty and a corrective action plan over potential HIPAA violations that include failing to timely and accurately report a data breach to the Department of Health and Human Services.
The health system is made up of 12 acute care hospitals and 300 care sites throughout Virginia and North Carolina.
The settlement centers around a 2017 security incident. OCR received a complaint from an individual who alleged Sentara sent a bill to a patient containing the protected health information of another patient.
An OCR investigation revealed that Sentara actually mailed 577 letters containing patient PHI to wrong addresses, after those billing statements were merged with 16,342 different guarantor’s mailing labels. The mailings contained names, account information, and dates of services.
The issue is that Sentara reported the incident as only affecting eight patients. Health system officials believed that since the improper disclosure did not contain diagnoses, treatment information, or medical data, that a PHI breach had not occurred.
However, all patient information must be protected under HIPAA. OCR “explicitly advised” Sentara of their reporting duties, but the health system “persisted in its refusal to properly report the breach.”
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” OCR Director Roger Severino said in a statement.
“When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR,” he added.
What’s more, the OCR investigation revealed that Sentara failed to apply a business associate agreement with Sentara Healthcare, a covered entity that performed business associate services involving the receipt, maintenance, disclosure of PHI for its member covered entities for the health system. Sentara did not enter into a business associate agreement until October 17, 2018.
As a result, “Sentara Hospitals allowed their parent corporation and business associate, Sentara Healthcare, to create, receive, maintain, or transmit PHI on their behalf and to provide services involving the disclosure of PHI without obtaining satisfactory assurances.”
The agreement is not an admission of liability by Sentara, nor is it a concession by HHS that Sentara did not violate the HIPAA rules.
In addition to the civil monetary penalty, Sentara agreed to a corrective action plan. Officials will need to develop, maintain, and revise, as necessary, written policies and procedures that comply with HIPAA, regarding breach notifications for unsecured protected health information.
Those policies and procedures must be provided to HHS within 90 days and implemented within 60 days of approval from HHS. And during the compliance term, if OCR disagrees with Sentara’s breach risk assessment, the health system must revise it based on technical assistance provided by OCR.
Sentara must also provide OCR with an implementation report to OCR within 120 days of HHS approval of the written policies and procedures that summarizes the status of its implementation requirements. OCR must also be provided all documents and records relating to compliance with the corrective action plan for six years.
With Sentara, OCR has now settled with seven healthcare providers in the last six months over potential HIPAA violations. In this month alone, OCR settled with the University of Rochester Medical Center and the Texas Health and Human Services Commission for a combined $4.3 million.
In August, Beazley Breach Response Services reported that HHS OCR has continued to crack down on HIPAA enforcements in the last year, with a renewed focus on smaller breaches.
Gloss