Sentara Hospitals Agreed to Pay $2.175 HIPAA Penalty for Breach Notification Rule and BAA Violations

The 8th HIPAA financial penalty of 2019 has been publicized by the Department of Health and Human Services’ Office for Civil Rights (OCR). Sentara Hospitals has decided to pay a $2.175 million penalty to negotiate potential HIPAA Privacy and Breach Notification Laws violations and to undertake a corrective action plan to handle noncompliance aspects.

HIPAA compliance relies on precise and prompt self-reporting of breaches considering that patients and the public should be aware in case their sensitive data is exposed. Whenever health care providers coldly are not able to report breaches as obligated by law, they ought to expect OCR’s strong enforcement action.

Sentara manages 12 acute care hospitals around North Carolina and Virginia and has above 300 care facilities in the two states. OCR began a compliance investigation due to a patient complaint gotten on April 17, 2017. The patient had claimed to obtain a billing statement from Sentara that contains the protected health information (PHI) of a different patient.

Sentara submitted the breach report to OCR, however, the breach report mentioned that just 8 persons were impacted by the misdirected mailing and 577 persons had impermissible disclosure of some of their PHI. OCR revealed that the 577 patients’ data and the 16,342 various guarantor’s mailing tags had been combined.

OCR told Sentara that the HIPAA Breach Notification Rule (45 C.F.R. § 164.408) requires the breach notifications and the update of breach total, still, Sentara continued in its refusal to make an up-to-date breach report and to send notifications. Sentara stated that since the billing statement merely listed names, dates of service and account numbers, and not diagnoses, treatment details, and other healthcare data, it didn’t constitute a reportable breach.

OCR furthermore discovered that Sentara Hospitals gives services to its member covered entities even though there were no signed business associate agreements (BAA) yet with its business associate till October 17, 2018.

Sentara Healthcare, Sentara Hospital’s parent company and business associate, was granted to generate, acquire, keep, and send out PHI on its behalf even with no BAA available. Sentara Hospitals had subsequently not gotten reasonable assurances that PHI is protected, violating 45 C.F.R. § 164.504(e)(2).

The corrective action plan calls for Sentara Hospitals to change its policies and procedures and make certain their compliance with HIPAA laws. Policies and procedures ought to be inspected and adjusted at least every year, or more often if applicable. OCR will be examining Sentara’s compliance attempts for two years from the beginning of the corrective action plan.

The most recent settlement is a further example of HIPAA violations uncovered due to patient complaints as opposed to data breach investigations. Only one patient who will send a complaint concerning a potential HIPAA violation is adequate to prompt a compliance investigation. These investigations could take place anytime, which indicates the importance for healthcare institutions to make certain that their policies and procedures absolutely match the HIPAA specifications.

So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.