- Sentara Hospitals has agreed to pay $2.175 million to settle a data breach involving the protected health information of its patients. It did not admit wrongdoing as part of the settlement.
- An investigation of a patient's complaint by the HHS Office of Civil Rights concluded the Southeastern healthcare provider had mailed the PHI of 577 patients to incorrect addresses. However, Sentara had insisted the incorrectly mailed PHI only involved eight patients, far below the legal threshold for reporting a breach to HHS. The office also concluded that Sentara's hospital division did not have a business associate agreement in place with the affiliated Sentara Healthcare at the time of the breach.
- Sentara Hospitals agreed to a corrective action plan including new HIPAA-related training materials for employees. It also agreed to keep OCR briefed on the progress of the corrective action plan for the next six years. The agreement involves 10 of the 12 hospitals it operates in Virginia and North Carolina.
Data breaches occur virtually every day in the healthcare realm. Non-encrypted laptops or flash drives are lost or stolen, employees without authorization can peek at the medical records of relatives or celebrities or sensitive paperwork is improperly disposed of. However, the recent case of Sentara Hospitals suggests that OCR definitively frowns upon denials of such breaches.
That was apparently the case with Sentara Hospitals, which in 2017 had inadvertently merged 577 patient billing statements into the mailing labels of more than 16,300 other people, leading to a breach of PHI. However, Sentara officials had insisted that only eight cases of PHI breaches occurred because the other incidents did not include patient diagnoses, treatment or other medical information. The HHS office said that not only was that assessment incorrect, the hospital operator had "persisted in its refusal" to properly report the extent of the breach, even after being advised by the agency of its legal duty to do so.
"HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed." OCR Director Roger Severino said in a statement. "When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."
The settlement amount is substantial by OCR standards, particularly given the breach barely broke the federal reporting threshold of 500 patients. That suggests Sentara was being punished as much for its recalcitrance as it was for the breach itself. That no business associate agreement was in place between Sentara Hospitals and affiliate Sentara Healthcare until October 2018 — 18 months after the breach occurred — also likely played into the size of the fine and the length of time that Sentara Hospitals has to supply documentation to the OCR.