In its’ most recent HIPAA settlement, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a $2.175 million HIPAA fine to Sentara Hospitals. The HIPAA settlement stemmed from a breach in April 2017 that affected 577 patients. In addition to the fine, Sentara Hospitals has agreed to adhere to corrective action plans, to be submitted to HHS for approval.
What Caused the Breach?
In April of 2017, Sentara Health violated the HIPAA Privacy Rule when they accidently sent billing statements containing the protected health information (PHI) of patients to the wrong individuals. The mishap resulted in the unauthorized disclosure of 577 patients’ PHI. Upon discovery of the error, Sentara Hospitals conducted a risk assessment, and reported the incident to the HHS.
Why Was the HIPAA Fine Issued?
Although Sentara Hospitals reported the breach to the HHS, they did so improperly. Sentara reported that only 8 patients were affected by the breach, because they did not fully understand what is considered PHI. Sentara was under the impression that since the other 569 billing statements did not contain treatment, medical, or diagnostic information, that they were not reportable under HIPAA Breach Notification requirements. However, they did include patient names, account numbers, and dates of service, all considered PHI by the HHS.
There is a common misconception that as long as no medical information is exposed, a breach is not reportable, however the HHS identifies the following as PHI:
- Patient names
- Geographical elements (such as a street address, city, county, or zip code)
- Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full face photographic images
- Other identifying numbers or codes
In response to the HIPAA settlement, Roger Severino, OCR Director stated, “HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed. When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
In addition to improper breach notification, the HIPAA audit uncovered that until October 2018, Sentara Hospitals did not have a signed business associate agreement (BAA) with Sentara Healthcare, one of their business associates (BAs). Sentara Healthcare is Sentara Hospitals parent company, managing the 12 hospitals under the Sentara umbrella. Sentara Healthcare creates, maintains, and transmits PHI on behalf of Sentara Hospitals, and as such, is considered a business associate under HIPAA law. HIPAA requires covered entities (CEs) to have signed BAAs with their business associates before they may share PHI. Since Sentara Hospitals failed to secure a BAA with Sentara Healthcare before they shared PHI, this is a HIPAA violation.
What Else Did the HIPAA Settlement Require?
Not only is Sentara required to pay a $2.175 million HIPAA fine, they must also develop corrective action plans. The HIPAA settlement mandates that Sentara Hospitals create written policies and procedures for proper breach notification to be reviewed and approved by the HHS. These must be submitted to the HHS within 90 days for approval. Should the HHS recommend any changes, they will have 45 days to make revisions to be submitted for HHS’ approval. Once the policies and procedures are approved, Sentara Hospitals will have 60 days to implement the approved policies and procedures.
Additionally, all employees are required to be trained on the new policies and procedures within 60 days, and new employees must be trained within 30 days after their start date. Employee training must enable employees to legally attest that they have read, understood, and agree to adhere to the policies and procedures.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.