If only we were talking about a card game. Unfortunately, for Sentara Hospital, we aren’t. Instead, we are referring to them receiving the unwanted title of being the eighth recipient of a HIPAA financial penalty in 2019. This $2.175 million fine is given in conjunction with the requirement to create a corrective action plan to address the areas of non-compliance to which they were found guilty of.
With 12 acute care hospitals and 300 care facilities in the North Carolina and Virginia areas, the Department of Health & Human Services’ Office for Civil Rights (OCR) responded to a patient complaint in April of 2017. This individual had received the bill of another person, thereby having insight into protected health information (PHI) that wasn’t theirs. Sentara became aware of, and reported the breach, to the OCR identifying 8 individuals who had been affected by the misdirected mailing, along with 577 others who had their PHI exposed.
OCR advised that the 8 reported needed to be updated, as those 577 patients had their information merged with 16,342 different guarantor’s mailing labels, but Sentara refused to update the breach report and notifications. This was in direct violation of the HIPAA Breach Notification Rule – 45 C.F.R § 164.408. Their opinion was that since the bills did not contain actual diagnosis or treatment information, and only names, account numbers, and dates of service, it was not considered a reportable breach.
That’s All Right?
Unfortunately for Sentara, no. OCR then found that they had not entered into business associate agreements until October 2018, allowing their parent organization (and business associate) Sentara Healthcare, to create, receive, and maintain PHI on its behalf. All done…yep, you guessed it, WITHOUT a BAA being in place.
This is a perfect example that shows the complexity of HIPAA compliance and how having the right team in place to guide you through becoming and maintaining that compliance is critical to your business. The OCR doesn’t make decisions based on your business size or ability to care for patients; their decisions are based on laws and guidelines that need to be adhered to diligently. They are in place to protect the patient, not the practice.
Your business, regardless of size or intention, must have a solid HIPAA team in place.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.
The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.
If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.