On November 27, 2019, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), announced a $2.175 million settlement and Corrective Action Plan (CAP) with Sentara Hospitals (Sentara) to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.  Sentara is comprised of ten acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.  Sentara admitted no wrongdoing as part of the settlement.

On April 17, 2017, a complaint was filed to HHS against Sentara alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). OCR’s investigation revealed that Sentara mailed 577 patients’ PHI to incorrect addresses.  The disclosed PHI included patient names, account numbers and dates of services.

After conducting its own risk assessment, Sentara Hospitals notified HHS of a breach of PHI affecting only eight (8) individuals because Sentara concluded – incorrectly - that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Importantly, Sentara did not properly report the number of patients affected by the breach even after OCR explicitly advised Sentara of its calculation methods.  OCR further determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, its parent organization, and an entity that performed business associate services for Sentara.

In addition to the monetary settlement, Sentara will undertake a CAP that includes two (2) years of monitoring  as well as requiring Sentara to do each of the following which are “typically” included in a CAP HIPAA settlement:

• review and revise Sentara’s written policies and procedures to ensure compliance with HIPAA breach notification rules, subject to HHS approval;
• implement the HHS-approved policies and procedures within sixty days of receipt of HHS’ approval;
• distribute the HHS-approved revised policies and procedures to all Sentara workforce members and require a signed certification from substantially all members of Sentara’s workforce that they have read, understand, and shall abide by those policies and procedures;
• assess, update, and revise these policies and procedures at least annually and provide the updated policies and procedures to HHS for review and approval; and
• promptly notify HHS of potential breaches and provide a description of the incident, a copy of the breach risk assessment Sentara conducted, and a description of actions taken to address the matter.

This OCR settlement is an important reminder that HIPAA-covered entities must comply with the Privacy Rules and OCR’s self-reporting requirements and undersand how to correctly count the number of individuals affected by a breach.  All covered entities should review their policies and procedures to ensure they are protecting a patient’s rights under HIPAA.  In addition, a business associate agreement is required between and among members of the same “corporate” family if one entity is performing HIPAA business associate services on behalf of a covered entity that is part of the same organization.