If only we were talking about a card game. Unfortunately, for Sentara Hospital, we aren’t. Instead, we are referring to them receiving the unwanted title of being the eighth recipient of a HIPAA financial penalty in 2019. This $2.175 million fine is given in conjunction with the requirement to create a corrective action plan to address the areas of non-compliance to which they were found guilty of.
With 12 acute care hospitals and 300 care facilities in the North Carolina and Virginia areas, the Department of Health & Human Services’ Office for Civil Rights (OCR) responded to a patient complaint in April of 2017. This individual had received the bill of another person, thereby having insight into protected health information (PHI) that wasn’t theirs. Sentara became aware of, and reported the breach, to the OCR identifying 8 individuals who had been affected by the misdirected mailing, along with 577 others who had their PHI exposed.
OCR advised that the 8 reported needed to be updated, as those 577 patients had their information merged with 16,342 different guarantor’s mailing labels, but Sentara refused to update the breach report and notifications. This was in direct violation of the HIPAA Breach Notification Rule – 45 C.F.R § 164.408. Their opinion was that since the bills did not contain actual diagnosis or treatment information, and only names, account numbers, and dates of service, it was not considered a reportable breach.
That’s All Right?
Unfortunately for Sentara, no. OCR then found that they had not entered into business associate agreements until October 2018, allowing their parent organization (and business associate) Sentara Healthcare, to create, receive, and maintain PHI on its behalf. All done…yep, you guessed it, WITHOUT a BAA being in place.
This is a perfect example that shows the complexity of HIPAA compliance and how having the right team in place to guide you through becoming and maintaining that compliance is critical to your business. The OCR doesn’t make decisions based on your business size or ability to care for patients; their decisions are based on laws and guidelines that need to be adhered to diligently. They are in place to protect the patient, not the practice.
Your business, regardless of size or intention, must have a solid HIPAA team in place.