Virginia-based Sentara Hospitals has agreed to a $2.175 million settlement with the Office for Civil Rights at the U.S. Department of Health and Human Services (OCR) for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) on behalf of its ten hospitals.
On April 17, 2017, the OCR received a complaint alleging that an incorrect hospital bill, containing another patient’s Protected Health Information (PHI), was mailed to a patient of the hospital. An investigation revealed that 577 patients’ billing statements were improperly mailed to the wrong addresses. However, Sentara Hospitals only reported the breach as affecting eight individuals. The hospital improperly determined that reportable breaches must involve the disclosure of patient diagnosis, treatment information, or other medical information; the hospital did not consider other demographic information as constituting a breach. Sentara Hospitals refused to properly report the breach, despite being instructed to do so by OCR.
In addition to the $2.175 million settlement, Sentara Hospitals entered a two-year Corrective Action Plan. Among other obligations, Sentara Hospitals agreed to develop and maintain appropriate written policies and procedures that not only comply with HIPAA, but are submitted for review and approval by OCR. Furthermore, Sentara Hospitals must provide the OCR with a report of any and all potential breach incidents, even if internal investigations determine that such incidents are not reportable breaches.
Covered entities must conduct thorough investigations into security incidents involving PHI to accurately determine whether a reportable breach has occurred. Contact Frier Levitt today for review of your practice’s HIPAA compliance plan, including your breach incident response procedures.