Health care group settles HIPAA violation after releasing patients’ info
Jan 09, 2020
NORFOLK, Va. (AP) — A health care group based in Virginia has agreed to a settlement of almost $2.2 million after hundreds of patients’ health information was wrongfully released.
Sentara’s settlement with the U.S. Department of Health and Human Services was one of the largest the agency sought to collect in 2019, The Virginian-Pilot reported Wednesday.
The company runs several hospitals in Virginia including Sentara Norfolk General Hospital, Sentara Virginia Beach General Hospital and Sentara Northern Virginia Medical Center.
Federal officials said Sentara mailed the health information of 577 patients — including their names, account numbers and dates of services — to incorrect addresses.
Sentara didn’t report the breach and the agency received a complaint in April 2017 regarding a bill sent to the incorrect person, the newspaper said.
Sentara claimed the breach only involved eight patients because the other errors didn’t expose diagnoses and treatments, but officials disagreed.
“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action,” Roger Severino, director of the agency’s Office for Civil Rights, said in a November statement.
Settlement money will not go to patients
The $2.175 million settlement requires Sentara to undergo monitoring for two years, the company has to review its privacy policies and submit regular compliance reports. As part of the agreement, the company did not admit wrongdoing.
Sentara spokesman Dale Gauding said the company has since added more quality control measures and hired a new privacy director.
The settlement money will not go to the patients whose health information was compromised. Instead, it goes to the federal agency.
Feds Secure $2.175 Million HIPAA Settlement for Breach of Private Health Information; Patients Will NOT Share In Payment
Office for Civil Rights (OCR), U.S Department of Health and Human Services
Sentara Hospitals have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules. Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.
Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.
Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.
OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sentara/index.html