Hospital group pays millions to settle HIPAA case

A hospital group serving Virginia and North Carolina has agreed to take corrective action and pay $2.175 million for failing to notify HHS about a HIPAA violation, according to an HHS news release.

Sentara Hospitals, which is comprised of 12 acute care hospitals with more than 300 sites, made the payment to the Office of Civil Rights (OCR) at HHS to settle possible violations of HIPAA breach notification and privacy rules stemming from an April 2017 incident.

At that time, HHS received a complaint that Sentara sent a bill to a patient with another patient’s protected health information. Further investigation found the hospital group mailed 577 patients’ protected health information to wrong addresses, but they only reported the incident as a breach affecting eight patients, the release says.

Sentara believed, incorrectly, that only breaches that included information on patient diagnosis and treatment needed to be reported to HHS. The hospital group refused to report the breach even after being explicitly advised to do so by OCR, the release says.

The office was also able to determine that the hospital group failed to have a business agreement in place with Sentara Healthcare, which performed business associate services for the group.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” Roger Severino, OCR Director, says in the release.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

According to the release, Sentara will undertake a corrective action plan which includes two years of monitoring in addition to the monetary settlement.