A breach notification failure and the lack of a business associate agreement has led to a $2.175 million HIPAA penalty for Sentara Hospitals.

The HHS’ Office for Civil Rights launched an investigation following a complaint from a patient of Sentara Hospitals about an impermissible disclosure of protected health information. The patient had been sent a bill in April 2017 that contained the protected health information of another patient.

OCR found that bills containing the PHI of 577 patients had been misdirected after being merged with 16,342 different guarantor’s labels, but Sentara Hospitals only reported the breach as affecting 8 patients. Sentara Hospitals determined that breach notifications were only required for patients who had diagnoses, treatment information, or other medical data exposed. Since the other patients only had information such as their name, account number, and dates of service disclosed, Sentara Hospitals determined that breach notifications were not required.

Even when OCR explicitly advised Sentara Hospitals about the need to report the incident as having affected 577 patients, Sentara Hospitals maintained its position and persisted in its refusal to properly report the breach.

Sentara Hospitals operates 12 acute care hospitals and more than 300 care facilities throughout Virginia and North Carolina. Sentara Hospitals’ parent company, Sentara Healthcare, provides services that require it to create, receive, maintain, and transmit PHI on behalf of Sentara Hospitals.

OCR found that there was no business associate agreement in place prior to October 17, 2018 covering Sentara Healthcare. Consequently, the protected health information of patients had been provided to the parent company and business associate without first having received satisfactory assurances that safeguards would be implemented to ensure the confidentiality, integrity, and availability of PHI and that HIPAA Rules would be followed.

These violations of the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – and the HIPAA Privacy Rule – 45 C.F.R. § 164.408 – 45 C.F.R. § 164.504(e)(2) – were determined to warrant a financial penalty. In addition to paying the $2.175 million penalty, Sentara Hospitals is required to adopt a corrective action plan to address all areas of noncompliance with HIPAA Rules and faces greater scrutiny from OCR over the next two years.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”