Sentara Hospitals reaches $2.175M HIPAA settlement with OCR

Virginia-based Sentara Hospitals will pay the Department of Health and Human Services’ Office for Civil Rights nearly $2.2 million to settle potential HIPAA violations.

The agreement between OCR and Sentara, which operates 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina, is the result of allegations that the healthcare provider didn’t properly notify the agency of a breach of unsecured protected health information.

Sentara-campus-CROP.jpg

According to OCR, the agency received a complaint in April 2017 alleging that Sentara had sent a bill to an individual containing another patient’s protected health information. In fact, OCR’s investigation discovered that Sentara mailed 577 patients’ health information to wrong addresses; this shared information included patients’ names, account numbers and dates of services.

“Sentara reported this incident as a breach affecting eight individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred,” contends HHS. “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.”

Besides agreeing to pay $2.175 million to HHS, Sentara has entered into a corrective action plan— including two years of monitoring—with which the provider has agreed to comply.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” said OCR Director Roger Severino in a written statement. “When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

The OCR-Sentara resolution agreement and corrective action plan can be found here.

For reprint and licensing requests for this article, click here.