The Department of Health and Human Service’s Office of Civil Rights (OCR) has announced a $2.1 million settlement with a healthcare network that was accused of violating the Health Insurance Portability and Accountability Act (HIPAA) mailed bills to individuals that contained the protected health information of other patients.
Sentara, a healthcare network of 12 hospitals in Virginia and North Carolina, was found to have sent bills to nearly 600 patients that included PHI of other individuals, including patient names, account numbers, and dates of services. Sentara had argued that the breach only affected eight people because a breach only needed to be reported in the event that patient diagnosis, treatment information or other medical information was disclosed. “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR,” OCR wrote in a press release announcing the settlement.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
Along with the monetary settlement, Sentara has also agreed to implement a corrective action plan, which will require it to update its policies and procedures, and to notify the Department of Health and Human Services when the hospital network has received information about a potential incident, but after investigating it, deemed no breach has occurred.